[Openswan dev] Phase 2 Negotiation Reliability
mcr at sandelman.ottawa.on.ca
Sun Aug 15 21:46:23 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Herbert" == Herbert Xu <herbert at gondor.apana.org.au> writes:
Herbert> However, on the responder side the SA won't be established
Herbert> until the final message is received. If the final message
Herbert> is lost then the responder will retransmit
Herbert> MAXIMUM_RETRANSMISSIONS (== 3) times. After that it gives
Herbert> up and deletes the state.
Yes, that is a problem.
Herbert> Even DPD doesn't help since it only tests the liveliness of
Herbert> the peer which will be successful in this case as the Phase
Herbert> 1 SA is up.
Yes, I understand.
DPD can have another component that tests that the phase 2 is up, but
it isn't implemented.
Herbert> The simplest thing we've come up with is to raise
Herbert> MAXIMUM_RETRANSMISSIONS which makes the problem less
Yes, increase it.
Long term, yes, IKEv2. (There aren't funded plans to do it at this time!)
In the interium, adding a message to the protocol would be best idea,
based upon a vendor ID.
] "Elmo went to the wrong fundraiser" - The Simpson | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev