[Openswan Users] Relation between ISAKMP and IPsec SA

Paul Wouters paul at xelerance.com
Mon Oct 3 11:17:20 EDT 2011


On Mon, 3 Oct 2011, Giovanni Carbone wrote:

> After some rekeys I get this output:

>
> 000 #42208: "NET-TO-NET1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 770s; newest IPSEC; eroute owner; isakmp#42038; idle; import:admin initiate
> 000 #42357: "NET-TO-NET2":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 10703s; newest IPSEC; eroute owner; isakmp#42038; idle; import:admin initiate
> 000 #42366: "NET-TO-NET2":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 40894s; newest ISAKMP; lastdpd=14s(seq in:17199 out:0); idle; import:admin initiate
>
> Now there are two IPsec SA with "isakmp#42038" but there isn't any ISAKMP SA #42038 running since it's expired and deleted.

If the isakmp is gone, that connection cannot be re-keyed. It will remain there until it
expires.

> Is this ok? The tunnels are working fine but it seems strange to me that there's a reference to a deleted state.
> Of course when the IPsec SA rekey is triggered the newest ISAKMP SA state is referenced.

It's been a long discussion at IETF what the ISAKMP vs IPSEC SA lifetimes should be. It mostlt not set to
either 8h/1h or 1h/8h. As long as you have a valid ISAKMP between two hosts, the IPsec SA can be
renegotiated no matter the current state.

Paul
> Best regards,
>
> G.C.
>
>
>
>
> Any use, distribution, copying or disclosure by any other person than the intended recipient of this electronic mail transmission is prohibited as a criminal offence.
> Pursuant to Legislative Decree n. 196/2003, you are hereby informed that this message and its attachments contain confidential information intended only for the use of the addressee. If you receive this transmission in error, please inform the sender immediately and delete the material. Thank You.
>
> The information contained in the e-mail can't be considered authorized by Reitek SpA in front of the addressee or third parties. Reitek SpA has no responsibility in case of dissemination, duplication or damage of this communication.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


More information about the Users mailing list