IPSEC with DrayTek Vigor 2500 ADSL router
A VPN between a Linux box (kernel 2.6.12 IPSEC, Racoon 0.6.1) and a DrayTek Vigor 2500 (firmware 2.51) sometimes stops working and restarts automatically after a while (some minutes).
The default IKE phase 2 key lifetime for the Vigor is 3600 seconds (LAN-to-LAN Profile Setup, Advance options). The DrayTek router automatically negotiate a new Security Association after about 2800 seconds:
Nov 14 22:06:41 xxx.xxx.xxx.xxx Vigor: Start IKE Quick Mode to 220.127.116.11 Nov 14 22:06:42 xxx.xxx.xxx.xxx Vigor: IPsec SA established with 18.104.22.168
This corresponds to a not longer working VPN tunnel:
2005-11-14 22:06:40 OK ping 192.168.21.10 2005-11-14 22:06:41 OK ping 192.168.21.10 2005-11-14 22:06:52 FAIL ping 192.168.21.10 2005-11-14 22:07:03 FAIL ping 192.168.21.10 ...
This because the Vigor discarded the old SA, while Racoon still uses it:
# setkey -D 22.214.171.124 126.96.36.199 esp mode=tunnel spi=49757931(0x02f73eeb) reqid=16387(0x00004003) ... 188.8.131.52 184.108.40.206 esp mode=tunnel spi=166737123(0x09f034e3) reqid=16387(0x00004003) ... 220.127.116.11 18.104.22.168 esp mode=tunnel spi=3280408116(0xc3870e34) reqid=16386(0x00004002) ... 22.214.171.124 126.96.36.199 esp mode=tunnel spi=3280408115(0xc3870e33) reqid=16386(0x00004002) ...
When Racoon IPSEC thinks that the old SA is expired, the VPN starts working again.
Then Racoon tries to revoke the old SA with the peer DrayTek router (which fails because of no such a SA found), after some timeout, the old SA is removed from the database.