From: Melissa J. <mel...@li...> - 2010-07-08 10:07:36
|
Hiya, I've recently been working on failover configuration of IPsec tunnels using FreeBSD & Carp. As sasync/pfsyncd & the appropriate code to synchronise both SA's and their replay counters aren't in freebsd I went down the more traditional route of using dead peer detection. Unfortunately this didn't work properly - although Racoon (0.7.3) would detect the dead peer, it never deleted the phase 2 SAs. With further digging this was because the purge SA code wasn't matching on port number. This was because the port was built with NATT defined but we were not using NATT. Rebuilding without NATT purges SAs correctly! Hopefully this post will save somebody some time and effort :) Mel |