On Sat, Apr 16, 2011 at 12:47:57AM +1200, Shane Lazarus wrote: > The question remains, how does the connection get torn down? > > Or, in another fashion, how does the OpenBSD IPSEC implementation tell the > remote IPSEC implementation that the VPN is not currently required and to > de-register the Active SA? >
an SA has a lifetime and an optional byte limit and the IKE/IKEv2 peer decides if it wants to renegotiate or drop the SA after this limit is reached. smart, isn't it? for example, the windows 7 IKEv2 client tells the remote peer to delete any child SAs (phase 2 SAs) after expiration but does not negotiate new ones until new traffic is trying to flow. iked(8) just handles this fine. AFAIK, OpenBSD isakmpd(8) tries to rekey expired phase 1 SAs by default but closes the connection if the peer doesn't respond... until another acquire message is received from the kernel or the peer comes around to say `hello'. reyk