IPSEC rekey vs. Cisco ASA ... broken.
Zaphod Beeblebrox
zbeeble at gmail.com
Fri Sep 30 15:48:36 UTC 2011
So... I've been diagnosing this problem with IPSEC on FreeBSD
interoperating against both a Cisco ASA and a set of FreeS/WAN
clients. The configuration is that dozens of FreeS/WAN clients
connect to the FreeBSD IPSEC gateway --- FreeBSD uses Racoon to
authenticate and exchange keys with them. This appears to work fine.
The FreeBSD IPSEC stack is then also talking to a remove Cisco ASA
with "unique" tunnels for 5 destination hosts. This is working
poorly.
The issue is: FreeBSD sees the rekey request as failing (so it
continues to use the old tunnel) and the ASA "seems" to see it
succeeding (it starts using a new tunnel after the rekey).
I'm a little bit at wit's end because we've tried to ask the Cisco to
not rekey (and just reset everything during a daily downtime), but the
cisco seems to insist on rekeying the tunnels.
Has anyone encountered anything like this?
More information about the freebsd-hackers
mailing list