From: Ganesan R <rga...@us...> - 2004-06-05 16:02:58
|
>>>>> "Aidas" == Aidas Kasparas <a.k...@gm...> writes: > Ganesan R wrote: >> Hi, We are using racoon in an embedded box and have run into a couple of >> problems. Both problem scenarios are related to racoon dying/restarting >> after sucessfully negotiating one or more IPsec SAs. In the first >> scenario host A (initiator) and host B (responder) have successfully >> negotiated an IPsec SA. Assume that racoon on host B dies and is >> restarted. Now, when racoon on host A tried to do a rekey for the >> previously negotiated IPsec SA, host B can't decrypt the quick mode >> packet and sends a initial contact notification. host A drops this >> notification because it's not encrypted. host B doesn't know what's going >> on and gives up > I suppose you mean "host A" here. I meant host B. What I meant is that "host B" has no idea the "initial-contact" messges are getting dropped. It keeps retrying since there was no response and gives up assuming that host A is dead. >> after a few retries. How can I make racoon recover from this >> situation. Keepalives seem to be the answer. But racoon does not appear to >> support any keepalive mechanism. Any suggestions? >> > Maybe it should try to setup new IPsec SA on failure to get > renegotiation? I guess you mean a new ISAKMP SA. I was thinking that the solution is for "host A" to send keep alives and then setup an ISAKMP SA. I think that what you're saying is the better solution. Instead of completely giving up on the host, if "host B" gave up on the ISAKMP SA and tried to negotiate a new one, I think things should be okay. >> The second scenario is smilar to the first except that racoon on host A dies >> and is restarted. When the kernel sends an expire message on host A for >> rekeying, racoon can't find a ph2 handle for this request, assumes that this >> is a duplicate reky request and drops the rekey request. Any suggestions on >> how to handle this? > When Phase2 SA will expire and will be droped, racoon will get > request to setup the new one, and start as nothing has happened before. The problem is that IPsec traffic will be affected. I'd like to handle this without dropping any data traffic. My plan is to treat the expire like an acquire if a ph2 handle cannot be found. Ganesan -- Ganesan R |