IPSEC between Win2k8 and Linux RRS feed

  • Question

  • Actually we are facing one issue related with IPSEC. In one end point, we are using Windows 2008 and in the other end point, we are using Linux Racoon module. We configured IPSEC between these two end points and they are communicating without any problem. But after sometime, the communication is broken. This communication failure continues for sometime and then suddenly it is up. We analyzed this issue and observed the following things.

    The communication break is happened when Main mode is started (ISAKMP Key expired) In the WireShark, we found that the main mode is started and then quick mode. Before Main and Quick Mode, assume, Windows uses SPI as 1 and Racoon uses 2. And after Main and Quick modes, Windows uses SPI as 3. But Racoon uses SPI 2 to send packets. Hope Windows expects new SPI from racoon, but racoon sends with old SPI and so some packets from racoon are discarded and communication is broken. After some time, racoon starts with new SPI and communication is up. I guess it is due to some soft and hard lifetimes of SA.

    Herebelow, the racoon log which tells the expiration of ISAKMP-SA.

    2012-04-06 00:25:57: INFO: purged IPsec-SA proto_id=ESP spi=338723676. 2012-04-06 00:25:57: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=1c99fd19f9b8b080:85dac43f6e090e7a. 2012-04-06 00:25:58: INFO: ISAKMP-SA deleted[500]-[500] spi:1c99fd19f9b8b080:85dac43f6e090e7a 2012-04-06 00:26:08: INFO: respond new phase 1 negotiation:[500]<=>[500] 2012-04-06 00:26:08: INFO: begin Identity Protection mode. I could see some others are also facing this kind of problem from the below links.

    So, all, I welcome your suggestions to resolve this issue.

    Friday, April 6, 2012 12:15 PM

All replies

  • If I get this correctly, in the 1st rekey Windows acted as initiator and in 2nd Rekey it was responder. Is it that only if Linux initiates a rekey it instantaneously uses the new SPI and not viceversa? In that case what is the MMSA lifetime in the Linux and Windows policy that you are using?
    Friday, April 13, 2012 8:42 PM