User Tools

Site Tools


IPSEC with DrayTek Vigor 2500 ADSL router

The Problem

A VPN between a Linux box (kernel 2.6.12 IPSEC, Racoon 0.6.1) and a DrayTek Vigor 2500 (firmware 2.51) sometimes stops working and restarts automatically after a while (some minutes).

Problem tracing

The default IKE phase 2 key lifetime for the Vigor is 3600 seconds (LAN-to-LAN Profile Setup, Advance options). The DrayTek router automatically negotiate a new Security Association after about 2800 seconds:

Nov 14 22:06:41 Vigor: Start IKE Quick Mode to
Nov 14 22:06:42 Vigor: IPsec SA established with

This corresponds to a not longer working VPN tunnel:

2005-11-14 22:06:40 OK ping
2005-11-14 22:06:41 OK ping
2005-11-14 22:06:52 FAIL ping
2005-11-14 22:07:03 FAIL ping

This because the Vigor discarded the old SA, while Racoon still uses it:

# setkey -D
        esp mode=tunnel spi=49757931(0x02f73eeb) reqid=16387(0x00004003)
        esp mode=tunnel spi=166737123(0x09f034e3) reqid=16387(0x00004003)
        esp mode=tunnel spi=3280408116(0xc3870e34) reqid=16386(0x00004002)
        esp mode=tunnel spi=3280408115(0xc3870e33) reqid=16386(0x00004002)

When Racoon IPSEC thinks that the old SA is expired, the VPN starts working again.

Then Racoon tries to revoke the old SA with the peer DrayTek router (which fails because of no such a SA found), after some timeout, the old SA is removed from the database.

doc/appunti/linux/sa/ipsec_draytek.txt · Last modified: 2005/11/15 12:29 by