A VPN between a Linux box (kernel 2.6.12 IPSEC, Racoon 0.6.1) and a DrayTek Vigor 2500 (firmware 2.51) sometimes stops working and restarts automatically after a while (some minutes).
The default IKE phase 2 key lifetime for the Vigor is 3600 seconds (LAN-to-LAN Profile Setup, Advance options). The DrayTek router automatically negotiate a new Security Association after about 2800 seconds:
Nov 14 22:06:41 xxx.xxx.xxx.xxx Vigor: Start IKE Quick Mode to 18.104.22.168 Nov 14 22:06:42 xxx.xxx.xxx.xxx Vigor: IPsec SA established with 22.214.171.124
This corresponds to a not longer working VPN tunnel:
2005-11-14 22:06:40 OK ping 192.168.21.10 2005-11-14 22:06:41 OK ping 192.168.21.10 2005-11-14 22:06:52 FAIL ping 192.168.21.10 2005-11-14 22:07:03 FAIL ping 192.168.21.10 ...
This because the Vigor discarded the old SA, while Racoon still uses it:
# setkey -D 126.96.36.199 188.8.131.52 esp mode=tunnel spi=49757931(0x02f73eeb) reqid=16387(0x00004003) ... 184.108.40.206 220.127.116.11 esp mode=tunnel spi=166737123(0x09f034e3) reqid=16387(0x00004003) ... 18.104.22.168 22.214.171.124 esp mode=tunnel spi=3280408116(0xc3870e34) reqid=16386(0x00004002) ... 126.96.36.199 188.8.131.52 esp mode=tunnel spi=3280408115(0xc3870e33) reqid=16386(0x00004002) ...
When Racoon IPSEC thinks that the old SA is expired, the VPN starts working again.
Then Racoon tries to revoke the old SA with the peer DrayTek router (which fails because of no such a SA found), after some timeout, the old SA is removed from the database.