IPSEC connection drops and doesn't recover

Isaac Kohen ik1024 at gmail.com
Tue Jul 31 01:20:15 UTC 2007 

Hello,

I'm running 6.2-REL. My kernel is compiled with IPSEC, IPSEC_ESP, and
IPSEC_DEBUG. I've installed ipsec-tools 0.6.7.

I've had an openbsd ipsec/vpn gateway for several years that recently died
as a result of hardware failure. I moved my configuration from isakmpd to
racoon
and can connect successfully to all the linksys vpn "routers" that I could
connect to before. Problem is that after a few hours the connection drops
and doesn't come back up until I do setkey -F and setkey -FP and restart
racoon. My openbsd/isakmpd setup worked very well so I'm guessing it's not
those cheap linksys boxes.

I thought it was racoon at first, so I installed and ran isakmpd on freebsd
using my isakmpd.conf from the openbsd box that I knew worked, but the same
problem persisted.

Any help would be appreciated.

Here's some configuration info:

# sysctl -A|egrep 'ipsec|ah|esp|net.key'
net.inet.ipsec.stats: Format:S,ipsecstat Length:12448
Dump:0xb2950c00000000000000000000000000...
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 1
net.inet.ipsec.debug: 1
net.inet.ipsec.esp_randpad: -1
net.key.debug: 1
net.key.spi_trycnt: 1000
net.key.spi_minval: 256
net.key.spi_maxval: 268435455
net.key.larval_lifetime: 30
net.key.blockacq_count: 0
net.key.blockacq_lifetime: 20
net.key.esp_keymin: 256
net.key.esp_auth: 0
net.key.ah_keymin: 128
net.key.preferred_oldsa: 0
net.inet6.ipsec6.stats: Format:S,ipsecstat Length:12448
Dump:0x00000000000000000000000000000000...
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 1
net.inet6.ipsec6.esp_randpad: -1

/etc/ipsec.conf:

spdadd 192.168.1.0/24 192.168.5.0/24 any -P out ipsec
esp/tunnel/68.167.79.2-69.119.56.96/require;
spdadd 192.168.5.0/24 192.168.1.0/24 any -P in  ipsec
esp/tunnel/69.119.56.96-68.167.79.2/require;



/usr/local/etc/racoon/racoon.conf (using psk):
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
listen
{
       isakmp 68.167.79.2 [500];
}
timer
{
        counter 10;             # was 5 maximum trying count to send.
        interval 20 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.
        phase1 30 sec;
        phase2 20 sec;
}

remote 69.119.56.96 {
  exchange_mode main;
  #doi ipsec_doi;
  #situation identity_only;
  my_identifier address 68.167.79.2;
  peers_identifier address 69.119.56.96;
  #verify_identifier on;
  nonce_size 16;
  #lifetime time 24 hour;
  proposal {
    encryption_algorithm 3des;
    hash_algorithm sha1;
    authentication_method pre_shared_key ;
    dh_group 2 ;
  }
}

sainfo address 192.168.1.0/24 any address 192.168.5.0/24 any {
  pfs_group 2;
  #lifetime time 24 hour;
  encryption_algorithm 3des ;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate ;
}

sainfo address 192.168.5.0/24 any address 192.168.1.0/24 any {
  pfs_group 2;
  #lifetime time 24 hour;
  encryption_algorithm 3des ;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate ;
}




Jul 30 20:42:02 cj racoon: DEBUG: suitable inbound SP found:
192.168.5.0/24[0] 192.168.1.0/24[0] proto=any dir=in.
Jul 30 20:42:02 cj racoon: DEBUG: new acquire 192.168.1.0/24[0]
192.168.5.0/24[0] proto=any dir=out
Jul 30 20:42:02 cj racoon: DEBUG:  (proto_id=ESP spisize=4 spi=00000000
spi_p=00000000 encmode=Tunnel reqid=0:0)
Jul 30 20:42:02 cj racoon: DEBUG:   (trns_id=3DES encklen=0
authtype=hmac-sha)
Jul 30 20:42:02 cj racoon: DEBUG: configuration found for 69.119.56.96.
Jul 30 20:42:02 cj racoon: DEBUG: ===
Jul 30 20:42:02 cj racoon: DEBUG: new cookie: 1313a61e4a85f592
Jul 30 20:42:02 cj racoon: DEBUG: add payload of len 48, next type 13
Jul 30 20:42:02 cj racoon: DEBUG: add payload of len 16, next type 0
Jul 30 20:42:02 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to
69.119.56.96[500]
Jul 30 20:42:02 cj racoon: DEBUG: sockname 68.167.79.2[500]
Jul 30 20:42:02 cj racoon: DEBUG: send packet from 68.167.79.2[500]
Jul 30 20:42:02 cj racoon: DEBUG: send packet to 69.119.56.96[500]
Jul 30 20:42:09 cj racoon: DEBUG: get pfkey ACQUIRE message
Jul 30 20:42:09 cj racoon: DEBUG2:  02060003 2f000000 6a030000 00000000
03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000
10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000
25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000
00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000
005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000
01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000
80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000
00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000
000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000
00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000
00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000
80700000 00000000
Jul 30 20:42:09 cj racoon: DEBUG: ignore the acquire because ph2 found
Jul 30 20:42:14 cj racoon: DEBUG: get pfkey ACQUIRE message
Jul 30 20:42:14 cj racoon: DEBUG2:  02060003 2f000000 6a030000 00000000
03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000
10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000
25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000
00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000
005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000
01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000
80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000
00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000
000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000
00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000
00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000
80700000 00000000
Jul 30 20:42:14 cj racoon: DEBUG: ignore the acquire because ph2 found
Jul 30 20:42:18 cj racoon: DEBUG: get pfkey ACQUIRE message
Jul 30 20:42:18 cj racoon: DEBUG2:  02060003 2f000000 6a030000 00000000
03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000
10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000
25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000
00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000
005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000
01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000
80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000
00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000
000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000
00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000
00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000
80700000 00000000
Jul 30 20:42:18 cj racoon: DEBUG: ignore the acquire because ph2 found
Jul 30 20:42:22 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to
69.119.56.96[500]
Jul 30 20:42:22 cj racoon: DEBUG: sockname 68.167.79.2[500]
Jul 30 20:42:22 cj racoon: DEBUG: send packet from 68.167.79.2[500]
Jul 30 20:42:22 cj racoon: DEBUG: send packet to 69.119.56.96[500]
Jul 30 20:42:22 cj racoon: DEBUG: 1 times of 100 bytes message will be sent
to 69.119.56.96[500]
Jul 30 20:42:22 cj racoon: DEBUG:  1313a61e 4a85f592 00000000 00000000
01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001
00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002
00000014 afcad713 68a1f1c9 6b8696fc 77570100
Jul 30 20:42:22 cj racoon: DEBUG: resend phase1 packet
1313a61e4a85f592:0000000000000000
Jul 30 20:42:24 cj racoon: DEBUG: get pfkey ACQUIRE message
Jul 30 20:42:24 cj racoon: DEBUG2:  02060003 2f000000 6b030000 00000000
03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000
10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000
25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000
00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000
005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000
01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000
80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000
00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000
000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000
00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000
00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000
80700000 00000000
Jul 30 20:42:24 cj racoon: DEBUG: ignore the acquire because ph2 found

More information about the freebsd-net mailing list