Re: [Ipsec-tools-devel] phase1 rekeying
Brought to you by:
mit_warlord,
netbsd
From: Tore A. <to...@li...> - 2008-09-04 10:17:02
|
* Timo Teräs > Ok. Umm... Two possibilities for me to go: > - make racoon renegotiate ph1 when dpd is on and phase2:s are in > existence > or > - renegotiate new ph1 when ph2 is being renegotiated (this assumes > that one knows when kernel wants to renegotiate ph2 and works only > if ph1 lifetime == ph2 lifetime) > > I think the first option would be the right thing. But the second > one would be good enough for me and a bit easier to do. In my opinion, the first option is a solution, the second one is a hack... It would of course be much preferable to fix it _properly_. > I think for the first option to work, we need to keep ph2:s bound > to ph1. And at ph1 expiration time we either: > a) unbind them just blindly if dpd was not active > b) start new ph1 and transfer ph2:s to the new ph1 > > I'll start to work on something. Any thoughts on preferred > implementation? Yvan? Manu? As you're probably aware of I don't know much about racoon's internals, but when I do «setkey -D» I see the end point's IP address there. So the ph2 SAs are already bound to the remote address. Won't it then be sufficient to make this part of the ph1 SA removal routine, so that it it first checks if DPD is active and if not continues removing (maybe this part could be configurable). If it is it loops through the ph2 SAs and looks for one with the same remote address as the ph1 SA about to be deleted, and if it finds one it will trigger a rekeying of ph1 before going on to finally delete the old ph1 SA. If it is indeed possible to do it this way, that is. Regards, -- Tore Anderson |