[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd SA recovery

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: isakmpd SA recovery
From: tariq_rashid_(_at_)_lineone_(_dot_)_net
Date: Thu, 18 Oct 2001 10:01:59 +0100

I'd like your thoughts on this please:

Having finally constructed a "hub and spoke" or star-topology VPN using isakmpd (port to freebsd) where the endpoints have dynamically allocated public IPs, there are now up-time issues.

Consider the situation when one of the gateways at the end of a "spoke" or star vertex has its internet connection dropped. The gateway redials/reconnects and receives a new dynamic IP. Fine. It then successfully talks to the hub or central gateway and new SA's are created. Except that the hub-gateway still holds onto the old SA until a long timeout.

In fact, the whole vpn is not quite as robust until both the isakmpds on the spoke-gateway and the hub-gateway are restarted. This is obvisouly not a good solution. 

I realise there is a balance between having a smooth transition to a reconnecting spoke-gateway, and preventing DOS attacks on isakmpd. 

Any thoughts on this?

Prev by Date: Re: Hardware Hell -- Ethernet cards
Next by Date: ipnat/rdr problem
Previous by thread: Re: Hardware Hell -- Ethernet cards
Next by thread: ipnat/rdr problem
Index(es):
- Date
- Thread

Visit your host, monkey.org