[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
isakmpd SA recovery
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: isakmpd SA recovery
- From: tariq_rashid_(_at_)_lineone_(_dot_)_net
- Date: Thu, 18 Oct 2001 10:01:59 +0100
I'd like your thoughts on this please:
Having finally constructed a "hub and spoke" or star-topology VPN using isakmpd (port to freebsd) where the endpoints have dynamically allocated public IPs, there are now up-time issues.
Consider the situation when one of the gateways at the end of a "spoke" or star vertex has its internet connection dropped. The gateway redials/reconnects and receives a new dynamic IP. Fine. It then successfully talks to the hub or central gateway and new SA's are created. Except that the hub-gateway still holds onto the old SA until a long timeout.
In fact, the whole vpn is not quite as robust until both the isakmpds on the spoke-gateway and the hub-gateway are restarted. This is obvisouly not a good solution.
I realise there is a balance between having a smooth transition to a reconnecting spoke-gateway, and preventing DOS attacks on isakmpd.
Any thoughts on this?
Visit your host, monkey.org