[vpn-help] Timeouts?

Matthew Grooms mgrooms at shrew.net
Sun Jul 11 02:34:26 CDT 2010


On 7/10/2010 10:29 PM, kevin shrew-vpn wrote:
> On Sat, 10 Jul 2010 21:58:04 -0500
> Matthew Grooms<mgrooms at shrew.net>  wrote:
>
>> In any case, there are no messages exchanged between peers when an SA
>> expires. That's why its important to make sure the lifetime matches
>> on both ends. Otherwise when an SA is expired by one peer, the other
>> peer may still attempt to use that SA to protect an important message
>> or IPsec traffic. When this happens, communication obviously breaks
>> down.
>>
>
> I thought it was negotiated as part of the connection!  Matching the
> timeouts may actually help solve a problem I've been having for a
> long time.  Thanks for taking the time to write the long explanation!

There is a RESPONDER-LIFETIME notification that can be sent but it has 
limited utility ...

http://www.ietf.org/rfc/rfc2407.txt

4.5.4 Lifetime Notification

    When an initiator offers an SA lifetime greater than what the
    responder desires based on their local policy, the responder has
    three choices: 1) fail the negotiation entirely; 2) complete the
    negotiation but use a shorter lifetime than what was offered; 3)
    complete the negotiation and send an advisory notification to the
    initiator indicating the responder's true lifetime.  The choice of
    what the responder actually does is implementation specific and/or
    based on local policy.

    To ensure interoperability in the latter case, the IPSEC DOI requires
    the following only when the responder wishes to notify the initiator:
    if the initiator offers an SA lifetime longer than the responder is
    willing to accept, the responder SHOULD include an ISAKMP
    Notification Payload in the exchange that includes the responder's
    IPSEC SA payload.  Section 4.6.3.1 defines the payload layout for the
    RESPONDER-LIFETIME Notification Message type which MUST be used for
    this purpose.

Since its specific to the IPsec DOI, it only works in quick mode for 
phase2 IPsec SAs. Its also not honored by a lot of IKE daemons. Your 
best bet is to always use matching lifetime values.

-Matthew



More information about the vpn-help mailing list