From: VANHULLEBUS Y. <va...@fr...> - 2011-04-26 12:15:20
|
On Fri, Apr 15, 2011 at 09:27:10AM +0200, Salih Gnll wrote: > > Hi, Hi. > While testing racoon (ipsec-tools 0.8.0) on Linux(2.6.32.22) against a > Cisco device, I have noticed the following: > > If the lifetimes of phase 1 are identical on both, then a rekeying of > phase 1 will take place as expected, after 80% time of the lifetime. > > However, if the lifetimes of phase 1 are not identical, the tunnel will > be established ok (with proposal_check obey), but racoon will not do any > rekeying even if phase 2 is active, and when phase 1 expires, phase 2 > will be dropped too. > > Is this an expected behavior? Probably not, but proposal_check_obey is a BAD idea, and should really be considered only for very quick testing setups, and NOT for real world configuration.... And the best "fix" I'd have for that is a patch that completely removes support for proposal_check_obey....... Yvan. |