Racoon site-to site

Mike Tancsa mike at sentex.net
Thu Dec 17 16:34:08 UTC 2009 

At 02:50 AM 12/15/2009, Jon Otterholm wrote:

>On 2009-12-11 20.23, "Mike Tancsa" <mike at sentex.net> wrote:
> >
> >
> > You might also want to turn on DPD (dead peer
> > detection) in ipsectools if you dont already have
> > it on both sides.  Are you really using des for
> > the crypto ? Also, when the session is
> > negotiated, take a look at the output of
> > setkey -D
> > and see what was actually negotiated and post it
> > here (just make sure you get rid of the info on the E and A lines.
> >
> > e.g.
> > 1.1.1.2 2.2.2.2
> >          esp mode=tunnel spi=125444787(0x077a22b3) reqid=16416(0x00004020)
> >          E: 3des-cbc  770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b
> >          A: hmac-sha1  5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
> >
> > ie. mask out the 5cfdbabb and 770cdd7b values
> > before posting as thats your crypto :)
> >
> >
>
>Here is output from setkey -D when we lost connection:
>
>localip remoteip
>         esp mode=tunnel spi=989823717(0x3aff82e5) reqid=0(0x00000000)
>         E: des-cbc  x x
>         A: hmac-md5  x x x x
>         seq=0x000009ac replay=4 flags=0x00000000 state=mature
>         created: Dec 15 07:57:41 2009   current: Dec 15 08:26:04 2009
>         diff: 1703(s)   hard: 3600(s)   soft: 2880(s)
>         last: Dec 15 08:26:03 2009      hard: 0(s)      soft: 0(s)
>         current: 400400(bytes)  hard: 0(bytes)  soft: 0(bytes)
>         allocated: 2476 hard: 0 soft: 0
>         sadb_seq=1 pid=23175 refcnt=2
>remoteip remoteip
>         esp mode=tunnel spi=117094840(0x06fab9b8) reqid=0(0x00000000)
>         E: des-cbc  x x
>         A: hmac-md5  x x x x
>         seq=0x00000b73 replay=4 flags=0x00000000 state=mature
>         created: Dec 15 07:57:41 2009   current: Dec 15 08:26:04 2009
>         diff: 1703(s)   hard: 3600(s)   soft: 2880(s)
>         last: Dec 15 08:25:37 2009      hard: 0(s)      soft: 0(s)
>         current: 2960978(bytes) hard: 0(bytes)  soft: 0(bytes)
>         allocated: 2931 hard: 0 soft: 0
>         sadb_seq=0 pid=23175 refcnt=1


The state looks good (mature).  It would be useful to see what the 
other side thinks is going on.  3 different things to try when its down.

racoonctl vpn-disconnect remoteip
... where remoteip is the public IP of the endpoint and then generate 
some traffic and see if things are re-established.

setkey -F

to flush the associations on this side... and again, generate some traffic.


Another thing to try is
sysctl -w net.key.preferred_oldsa=0
setkey -F
restart racoon
and then see if the hangs still happen.  But you should try and get 
some debugging info from the other side to see what state things are 
in when the tunnel fails.   In general, I have found setting 
net.key.preferred_oldsa=0 important when inter-operating with other 
platforms.   Also, check and make sure you have dpd compiled into 
ipsectools and make sure enabled.

         ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-net mailing list