FreeS/WAN is an implementation of IPSEC and IKE for Linux. It allows you to build secure tunnels through untrusted networks, where everything passing through the tunnel is encrypted, thus producing a Virtual Private Network, or VPN, a network that is private despite having machines at different locations connected by the insecure Internet.
RedCreek Communications produce a line of IPsec-based products that allow VPNs to be easily implemented. In a previous job I used FreeS/WAN to connect to a VPN otherwise based on the RedCreek Personal Ravlin product. Unfortunately it does not interoperate smoothly with FreeS/WAN.
In this page I describe the problem and provide a very small patch to FreeS/WAN 1.98b that enables it to work with a Personal Ravlin. Most of the patch - the part which copies with the zero lifetime SA negotiation - is the work of Nigel Metheringham.
Note that this patch and page are not up to date with current FreeS/WAN. I am no longer working at the establishment with the Ravlin VPN, and have no means (or reason) to keep the patch current and tested. I don't expect the patch to apply against FreeS/WAN versions after 1.98b, but am leaving this web page here to document the problem.
Also note that the patch should only be applied if you want are having problems talking to Ravlin kit. I'm no IPsec expert, but I believe the Ravlin implementation shouldn't behave as it does. While I don't think the change in behaviour the patch makes will cause problems with other IPsec implementations, I'm in no position to test it.
When main mode (i.e. the ISAKMP SA) is renegotiated, Ravlin boxes appear to expect that a quick mode negotiation will follow immediately. If one doesn't begin in 5 seconds, the Ravlin assumes the last component of the main mode negotiation it sent to FreeS/WAN must have been lost, and retransmits it. FreeS/WAN quite properly notes that it has already seen this data and ignores it. After retrying using timeouts of increasing duration, the Ravlin will decide the main mode negotiation failed and delete its SAs.
Furthermore, Ravlin boxes have also been observed to negotiate a zero SA lifetime. Which causes FreeS/WAN to bring the tunnel up and take it down immediately.
The patch is here. Apply it with
patch -p1 < ravlin.patch
in the top FreeS/WAN source directory. It only affects
pluto, so you can just rebuild and reinstall that.
The patch was made against FreeS/WAN 1.98b. Previous versions require a
different change. Contact me
for details.
The patch does two things. First, it forces a quick mode renegotiation following every main mode negotiation. Secondly, it treats all durations of length zero as being of the default length.
The patch is the simplest possible, and is not perfect. In
particular, if you are using the default key lifetimes then
excess SAs will be accumulated and the link will
eventually fail. This is because the extra SAs accumulate faster
that they expire. I run with the following timeout settings
in /etc/ipsec.conf which avoids this problem and
gives me a stable link.
ikelifetime=4h
keylife=40m