Any IPSEC experts out there?
Router A IPSEC SA expires (seconds or KB), and in doing so, sends Quick Mode packets to Router B, to which Router B does not reply. Since presumably Router A is changing the SPI, now Router B is sending traffic which is blackholed. Quick Mode works fine if done immediately after Main Mode (clearing the tunnel for example, or a hard reboot on Router B). But any time Router A lifetime (seconds or KB) expires, these Quick Mode messages get no response from Router B. Router B debug shows it is receiving QM packets, but also shows "quick mode failed."
Any idea why Quick Mode would fail in the context of a lifetime re-key, but work fine as part of the Main Mode Phase 1 --> Quick Mode Phase 2 transition?
I am also having a hard time finding "normal" behavior for this re-key - is it normal to just send QM packes as part of an IPSEC lifetime re-key? Or should it enter Main Mode again?
No comments:
Post a Comment