IPSEC SA is torn down ...

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm doing an IPSEC experiment using Windows XP SP2 and Redhat Fedora Core 3.
I'd like to ask two things.

1. IPSEC SA between two machines is torn down repeatedly. It seems to occur
after a 5 minute idle time on the SA. By viewing Oakley.log file, I notice
the message saying "QM deleted - Notify from driver". Is it due to the SA
idle time expiration? If so, how can I fix the problem on my XP SP2?

2. Racoon, which is IKE daemon in Redhat FC3, seems not understand
Informational Exchange message from the XP. Any experiences or comments on
this point are welcomed.
 
lee said:
I'm doing an IPSEC experiment using Windows XP SP2 and Redhat Fedora Core 3.
I'd like to ask two things.

1. IPSEC SA between two machines is torn down repeatedly. It seems to occur
after a 5 minute idle time on the SA. By viewing Oakley.log file, I notice
the message saying "QM deleted - Notify from driver". Is it due to the SA
idle time expiration? If so, how can I fix the problem on my XP SP2?
Click to expand...

QM is Quick Mode. This is in opposition to Main Mode. Main Mode is used
initially to negotiate the encryption. Afterwards I believe when something
needs to be re-established after a certain amount of inactivity a Quick Mode
negotation is performed. What is the SA idle time set to? If it expires then
the protocol should be creating another SA when it sees that it needs one. I
presume that when you run into this situation that no traffic beyond this point
is encrypted?
2. Racoon, which is IKE daemon in Redhat FC3, seems not understand
Informational Exchange message from the XP. Any experiences or comments on
this point are welcomed.
Click to expand...

Can't help you here.

Brandon
 
Brandon McCombs said:
QM is Quick Mode.
Thanks.

This is in opposition to Main Mode. Main Mode is used
initially to negotiate the encryption. Afterwards I believe when something
needs to be re-established after a certain amount of inactivity a Quick Mode
negotation is performed. What is the SA idle time set to?
Click to expand...

I don't know it. Could you tell me how to get or disable the SA idle time? I
observe that as long as ping continues to send/receive packets, two machines
does not loose the SA.
If it expires then
the protocol should be creating another SA when it sees that it needs one. I
presume that when you run into this situation that no traffic beyond this point
is encrypted?
Click to expand...

The IPSEC SA on the XP is torn down, but the one on the linux is still
alive. XP tries to establish another one in vain. So, no ping is possible.

Can't help you here.

Brandon
Click to expand...

Thanks anyway.

Lee.
 
Back
Top