User Tools

Site Tools


doc:appunti:linux:sa:ipsec_draytek

IPSEC with DrayTek Vigor 2500 ADSL router

The Problem

A VPN between a Linux box (kernel 2.6.12 IPSEC, Racoon 0.6.1) and a DrayTek Vigor 2500 (firmware 2.51) sometimes stops working and restarts automatically after a while (some minutes).

Problem tracing

The default IKE phase 2 key lifetime for the Vigor is 3600 seconds (LAN-to-LAN Profile Setup, Advance options). The DrayTek router automatically negotiate a new Security Association after about 2800 seconds:

Nov 14 22:06:41 xxx.xxx.xxx.xxx Vigor: Start IKE Quick Mode to 217.19.150.8
Nov 14 22:06:42 xxx.xxx.xxx.xxx Vigor: IPsec SA established with 217.19.150.8

This corresponds to a not longer working VPN tunnel:

2005-11-14 22:06:40 OK ping 192.168.21.10
2005-11-14 22:06:41 OK ping 192.168.21.10
2005-11-14 22:06:52 FAIL ping 192.168.21.10
2005-11-14 22:07:03 FAIL ping 192.168.21.10
...

This because the Vigor discarded the old SA, while Racoon still uses it:

# setkey -D
217.19.150.87 217.19.150.8
        esp mode=tunnel spi=49757931(0x02f73eeb) reqid=16387(0x00004003)
        ...
217.19.150.87 217.19.150.8
        esp mode=tunnel spi=166737123(0x09f034e3) reqid=16387(0x00004003)
        ...
217.19.150.8 217.19.150.87
        esp mode=tunnel spi=3280408116(0xc3870e34) reqid=16386(0x00004002)
        ...
217.19.150.8 217.19.150.87
        esp mode=tunnel spi=3280408115(0xc3870e33) reqid=16386(0x00004002)
        ...

When Racoon IPSEC thinks that the old SA is expired, the VPN starts working again.

Then Racoon tries to revoke the old SA with the peer DrayTek router (which fails because of no such a SA found), after some timeout, the old SA is removed from the database.

doc/appunti/linux/sa/ipsec_draytek.txt · Last modified: 2005/11/15 12:29 by 127.0.0.1