#9 Policy lifetime rekey margin


FreeS/WAN has a nice configuration option for policies
named "rekeymargin":


"how long before SA (and key) expiry should
attempts to negotiate replacements begin; acceptable
values as for keylife (default 9m)"

This way, when a security association is about to
expire, FreeS/WAN initiates a new negotiation to create
a new, replacement association. This way, there's no
tunnel downtime.

Racoon doesn't handle this problem at all, which causes
packet loss every time an association expires (!!!).

This is also due to the lack of a second feature in
racoon/ipsec-tools: deferral of connections/packets
until a tunnel is established (see

Currently, with ipsec-tools, when there's no active
association present, for all packets, ipsec-tools
simply return a "connect: Resource temporarily
unavailable" error and this usually results in raising
application-level errors, until a new security
association is negotiated (which can take several seconds).

So to summarize:
1) ipsec-tools handle the "lack of association" problem
very unelegantly - returnin errors instead of queueing
packets until an association is established (the
feature request no. 1101806)
2) racoon lacks a feature to proactively establish new
associations before old ones expire (this feature request).

FreeS/WAN handles this much better.



    Logged In: YES

    Problem 1: Racoon generates SAs with a soft lifetime of 80%
    of hard lifetime, and SAs *are* renegociated when old SAs
    goes dying (or tell us more about your configuration).

    Problem 2: processing packets to encapsulate is *not* a
    racoon problem, it is a kernel issue.

  • Timo Teras

    Timo Teras - 2009-01-16

    Closing all sourceforge.net bugs. If this issue has not been cared for please submit a new bug report to https://trac.ipsec-tools.net/ issue tracker. Thank you.

  • Timo Teras

    Timo Teras - 2009-01-16
    • status: open --> closed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks