[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 577) RE: UDP protocol

To: racoon@kame.net
Subject: (racoon 577) RE: UDP protocol
From: Vipul Lugade <vlugade@sunmail.west-cryptek.com>
Date: Thu, 15 Jul 2004 09:22:42 -0700
Delivered-to: racoon-archive@kame.net
Delivered-to: racoon-outgo@kame.net
Delivered-to: racoon@kame.net
Importance: Normal
In-reply-to: <20040715051531.85262.qmail@web25204.mail.ukl.yahoo.com>
Reply-to: racoon@kame.net
Sender: owner-racoon@kame.net

Bill,

In regards to your questions.
1.  When we run multiple connections we are setting up x number of IP
aliases on the network.  Each of these aliases will negotiate a different
IKE SA.
2.  The test procedure is as follows:
	a.  Racoon is started.
 	b.  Each IP address attempts to send the first UDP packet to the
responder.
	c.  This first packet triggers ISAKMP negotiation between racoon and
our responder.  
	d.  Once ISAKMP is complete and an SA established, the first UDP
packet should be sent.
3.  Currently we are able to create up to 128 simultaneous IKE connections.
After this point racoon does not negotiate any more SA's.  We are hitting
the policy limit on the SPD as each IKE connection uses 4 policy entries (2
per direction for default policy and 2 per direction for port 500).

Vipul
 

-----Original Message-----
From: owner-racoon@kame.net [mailto:owner-racoon@kame.net] On Behalf Of Bill
Parera
Sent: Wednesday, July 14, 2004 10:16 PM
To: racoon@kame.net
Subject: (racoon 576) Re: UDP protocol

hi Vipul,

Can you tell how you are simulating different
connections(100+).
1.Are you using same IKE negotiation to create
different ipsec SA's or using different IKE SA's.
2.Can you describe what is your test procedure/setup
in detail?
3.Upto how many IKE connection you are able to ceate
at one go and what's the aprroximate time it takes.
4. Let's say if I get trigger for say 1k of IKE
negotiation will IKE be able to handle this.

I am new to this technology and just trying to
understand things.

TIA...
regards
Bill

--- Vipul Lugade <vlugade@sunmail.west-cryptek.com>
wrote: > Hey,
> 
>  
> 
> I'm trying to send UDP traffic over an IPSec
> connection negotiated by
> racoon.
> 
> Sometimes the initial UDP packet is lost while
> ISAKMP is being negotiated.
> Right now we resend the initial UDP packet after 5
> seconds if no response is
> seen.  
> 
> Is there a better way to detect when the kernel
> finally sends the encrypted
> UDP packet.
> 
>  
> 
> FYI, our protocol works great when we are running a
> single connection.  When
> we attempt to create multiple connections (100+) we
> see problems noted above
> with one or two of the connections.
> 
>  
> 
> We are running FreeBSD 5.2.1 and racoon 2004.04.16.
> 
>  
> 
> Thanks,
> 
>  
> 
> Vipul
> 
>  


	
	
		
___________________________________________________________ALL-NEW Yahoo!
Messenger - sooooo many all-new ways to express yourself
http://uk.messenger.yahoo.com

References:
- (racoon 576) Re: UDP protocol
  - From: Bill Parera <bill_parera@yahoo.co.uk>

Prev by Date: (racoon 576) Re: UDP protocol
Next by Date: (racoon 578) linux 2.6 - Racoon: failed to bind to link local IPv6 address
Previous by thread: (racoon 576) Re: UDP protocol
Next by thread: (racoon 585) Documentation for racoon implementation
Index(es):
- Date
- Thread