IPSEC rekey vs. Cisco ASA ... broken.

Zaphod Beeblebrox zbeeble at gmail.com
Fri Sep 30 15:48:36 UTC 2011

So... I've been diagnosing this problem with IPSEC on FreeBSD
interoperating against both a Cisco ASA and a set of FreeS/WAN
clients.  The configuration is that dozens of FreeS/WAN clients
connect to the FreeBSD IPSEC gateway --- FreeBSD uses Racoon to
authenticate and exchange keys with them.  This appears to work fine.

The FreeBSD IPSEC stack is then also talking to a remove Cisco ASA
with "unique" tunnels for 5 destination hosts.  This is working

The issue is: FreeBSD sees the rekey request as failing (so it
continues to use the old tunnel) and the ASA "seems" to see it
succeeding (it starts using a new tunnel after the rekey).

I'm a little bit at wit's end because we've tried to ask the Cisco to
not rekey (and just reset everything during a daily downtime), but the
cisco seems to insist on rekeying the tunnels.

Has anyone encountered anything like this?

More information about the freebsd-hackers mailing list