[Openswan Users] Openswan and Nortel Switch deleting ISAKMP

Paul Wouters paul at xelerance.com
Thu Aug 3 17:13:03 EDT 2006


On Thu, 3 Aug 2006, Peter McGill wrote:

> Already tried adjusting both lifetime values up and down, didn't work.
> And just before the connection drops, I've just finished renewing it.
> > From the logs below, this is what it looks to me what is happening.
>
> A random few minutes before the ISAKMP SA expires, Openswan renegotiates it.
> Old ISAKMP SA Expires, Nortel sends Delete ISAKMP SA.
> (Sometimes Nortel deletes the old ISAKMP, sometimes the new one.
> Obviously a Nortel bug there, but I can't help that.)
> If New ISAKMP SA is deleted, the Openswan immediately negotiates a new one.
> So right now, ISAKMP is valid.
> However traffic stops between the Openswan and Nortel.
> I'm guessing it's because the IPSec SA's for the subnet are still based on the
> old,
> deleted ISAKMP SA, they have not been renegotiated yet.
> Seems that Nortel considers them invalid because based on expired ISAKMP SA,
> but Openswan still considers them valid because they have not expired
> themselves?
> I'm not sure who is right, logically, but they don't seem to agree, and this
> is a problem.
> I'm no IPSec expert, so I could be wrong but this is my guess based on what
> I'm seeing.
> This continues, until the IPSec SA for the subnet is about to expire, then
> Openswan
> renegotiates it, and communication is restored, until the next time.

IPsec SA's lifetime should have no influence on ISAKMP SA lifetime, but
how about trying to set a shorter phase 2 lifetime compared to the phase1
lifetime, eg:

	keylife=30m
	ikelifetime-1h

Paul


More information about the Users mailing list