You've discovered the security association idle timeout. When you restart
host B, host A has no knowledge of this. So it's still
trying to communicate using the security association it already has --
which, of course, is invalid because host B's side of the security
association no longer exists. By default, the idle timer waits five
minutes before it decides that an SA is no longer valid. The stack then
tries for one more minute to communicate to the other peer before tearing
down the SA. That's why you're seeing the six-minute delay. Once host A
tears down the SA, then host A and host B will re-establish a new SA with
each other.
There's a registry setting you can twiddle to change the idle time. In
Regedit, navigate to HKLM\SYSTEM\CurrentControlSet\Services\IPsec. Add a
new DWORD value called SAIdleTime. Enter the number of seconds you want
the idle timer to wait. The default is 300 (five minutes), which is also
the minimum value, so alas you can't reduce the idle time.
Good news is that in Vista and Server 2008, this behavior has changed. In
your scenario, the stack in host A will detect that something is amiss
because it's retransmitting unacknowledged packets (unacknowledged because
host B is down). The stack will tear down the prior SA and then attempt to
establish a new one. This is a lot better than relying on idle timeouts.
--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com
PersoThales said:
Thanks Steve.
When I say "after a restart of computer B", it's not the reality.
I stop the computer B with on/off to simulate a breakdown before
restart host B.
I found the links below which talk about timeouts :
http://support.microsoft.com/default.aspx/kb/306677/en-us
http://support.microsoft.com/kb/821839/en-us
:
From what I have seen it is not unusual to see some lag after a startup
possibly due to negotiations of ipsec SAs. You might try using the MMC
snapin for IP security monitor to get more details on what is going on
between the computers. There is also a Microsoft newsgroup dedicated to
ipsec. You can also configure your computers to do advanced logging for
ipsec if you want more details of the ipsec processes. The link below
explains more.
Steve
http://www.securityfocus.com/infocus/1526
http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/ipsecch7.mspx
--- Troubleshooting ipsec
Hi,
I've a network with 5 hosts (Windows XP pro SP2) which are connected
on a
switch.
The firewall is stopped.
I've used ipseccmd to declare the ipsec strategies.
For example :
on the host A :
ipseccmd -f 192.168.1.1+192.168.1.2 -n esp[3des,sha] -a
p:"test" -1p -lan -w
reg -p"ipsec strategy" -r "host A to host B" -x
on the host B :
ipseccmd -f 192.168.1.2+192.168.1.1 -n esp[3des,sha] -a
p:"test" -1p -lan -w
reg -p"ipsec strategy" -r "host B to host A" -x
I've used wireshark to verify that the host-to-host communications are
encrypted and all is ok.
But after a restart of computer B, the communications between host A
and
host B are not possible during approximately 6 minutes.
Thanks for your responses
