[vpn-help] Timeouts?
Matthew Grooms
mgrooms at shrew.net
Sun Jul 11 02:34:26 CDT 2010
On 7/10/2010 10:29 PM, kevin shrew-vpn wrote:
> On Sat, 10 Jul 2010 21:58:04 -0500
> Matthew Grooms<mgrooms at shrew.net> wrote:
>
>> In any case, there are no messages exchanged between peers when an SA
>> expires. That's why its important to make sure the lifetime matches
>> on both ends. Otherwise when an SA is expired by one peer, the other
>> peer may still attempt to use that SA to protect an important message
>> or IPsec traffic. When this happens, communication obviously breaks
>> down.
>>
>
> I thought it was negotiated as part of the connection! Matching the
> timeouts may actually help solve a problem I've been having for a
> long time. Thanks for taking the time to write the long explanation!
There is a RESPONDER-LIFETIME notification that can be sent but it has
limited utility ...
http://www.ietf.org/rfc/rfc2407.txt
4.5.4 Lifetime Notification
When an initiator offers an SA lifetime greater than what the
responder desires based on their local policy, the responder has
three choices: 1) fail the negotiation entirely; 2) complete the
negotiation but use a shorter lifetime than what was offered; 3)
complete the negotiation and send an advisory notification to the
initiator indicating the responder's true lifetime. The choice of
what the responder actually does is implementation specific and/or
based on local policy.
To ensure interoperability in the latter case, the IPSEC DOI requires
the following only when the responder wishes to notify the initiator:
if the initiator offers an SA lifetime longer than the responder is
willing to accept, the responder SHOULD include an ISAKMP
Notification Payload in the exchange that includes the responder's
IPSEC SA payload. Section 4.6.3.1 defines the payload layout for the
RESPONDER-LIFETIME Notification Message type which MUST be used for
this purpose.
Since its specific to the IPsec DOI, it only works in quick mode for
phase2 IPsec SAs. Its also not honored by a lot of IKE daemons. Your
best bet is to always use matching lifetime values.
-Matthew
More information about the vpn-help
mailing list