IPSEC connection drops and doesn't recover

VANHULLEBUS Yvan vanhu_bsd at zeninc.net
Tue Jul 31 10:53:36 UTC 2007 

On Mon, Jul 30, 2007 at 08:52:25PM -0400, Isaac Kohen wrote:
> Hello,

Hi.


> I'm running 6.2-REL. My kernel is compiled with IPSEC, IPSEC_ESP, and
> IPSEC_DEBUG. I've installed ipsec-tools 0.6.7.
[.....]
> net.key.preferred_oldsa: 0

As Bjoern already said, you may resolve your problems by setting
net.key.preferred_oldsa=1, but I don't think that's your actual
problem (and setting it to 1 is usually a bad idea, except when you
have a peer that really requires it, usually an old and/or cheap
device).


[....]
> remote 69.119.56.96 {
>   exchange_mode main;
>   #doi ipsec_doi;
>   #situation identity_only;
>   my_identifier address 68.167.79.2;
>   peers_identifier address 69.119.56.96;
>   #verify_identifier on;
>   nonce_size 16;
>   #lifetime time 24 hour;

Is lifetime really commented out in your config ???


[.....]
> Jul 30 20:42:09 cj racoon: DEBUG: get pfkey ACQUIRE message

Ok, you get acquires from your kernel.

[....]
> Jul 30 20:42:14 cj racoon: DEBUG: ignore the acquire because ph2 found

That's because you got *lots* of acquires for the same peer.


> Jul 30 20:42:22 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to
> 69.119.56.96[500]
> Jul 30 20:42:22 cj racoon: DEBUG: sockname 68.167.79.2[500]
> Jul 30 20:42:22 cj racoon: DEBUG: send packet from 68.167.79.2[500]
> Jul 30 20:42:22 cj racoon: DEBUG: send packet to 69.119.56.96[500]
> Jul 30 20:42:22 cj racoon: DEBUG: 1 times of 100 bytes message will be sent
> to 69.119.56.96[500]
> Jul 30 20:42:22 cj racoon: DEBUG:  1313a61e 4a85f592 00000000 00000000
> 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001
> 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002
> 00000014 afcad713 68a1f1c9 6b8696fc 77570100
> Jul 30 20:42:22 cj racoon: DEBUG: resend phase1 packet
> 1313a61e4a85f592:0000000000000000

Racoon tries to establish a new phase1....

Wild guess:
You peer negociates the first time, and it works.
As you don't have lifetime specified, racoon just gets peer's
lifetime.

When you phase1 expires, FreeBSD will be the first who wants to
negociate new SAs. When it will need to negociate an IsakmpSA,
negociation will fail, probably because the peers wants a lifetime in
it's proposal.

Have a look at your whole debug, find the debugs when the first
negociation is done, and see what could make the negociation working
in one way but not in the other way.


If you don't find a problem, please send your whole debug (warning,
may be quite big, and will include sensitive informations if you logs
DEBUG2) to ipsec-tools-users at lists.sourceforge.net, as your problem
seems to really be a racoon's config problem.



Yvan.

-- 
NETASQ
http://www.netasq.com

More information about the freebsd-net mailing list