Debugging dropped shell connections over a VPN

Paul Keusemann pkeusem at visi.com
Tue Jul 12 19:26:38 UTC 2011 

On 07/07/11 14:39, Chuck Swiger wrote:
> On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote:
>> My setup is something like this:
>> - My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris machines running various OS versions.
>> - My gateway / firewall  machine is running FreeBSD-8.1-RELEASE-p1 with ipfw, nat and racoon for the firewall and VPN.
>>
>> The problem is that rlogin, ssh and telnet connections over the VPN get dropped after some period of inactivity.
> You're probably getting NAT timeouts against the VPN connection if it is left idle.  racoon ought to have a config setting called natt_keepalive which sends periodic keepalives-- see whether that's disabled.
>
> Regards,

Thanks for the suggestions Chuck, sorry it's taken so long to respond 
but I had to reconfigure and rebuild my kernel to enable IPSEC_NAT_T in 
order to try this out.

One thing that I did not explicitly mention before is that I am routing 
a network over the VPN.

I did not have previously NAT-Traversal enabled nor was it configured in 
my kernel.  After reconfiguring, compiling and installing the new 
kernel, I added the following to the phase 1 configuration for my VPN:

         timer
         {
                 # Default is 20 seconds.
                 natt_keepalive 10 sec;
         }

         # Enable NAT traversal.
         #nat_traversal on;
         nat_traversal force;

         # Enable IKE fragmentation.
         ike_frag on;

         # Enable ESP fragmentaion at 552 bytes.
         esp_frag 552;

The only immediately noticeable change is that I am no longer getting 
the following warnings at racoon startup:

         WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP 
Invalid argument

I assume this is the result of adding IPSEC_NAT_T to the kernel config.  
My shell connections are still being dropped, so I'm pretty much back to 
square one.

So, any other ideas on how to debug this?

Anybody know how to get racoon to log everything to one file?  Right 
now, depending on the log level, I am getting messages in racoon.log 
(specified with -l at startup), messages and debug.log.  It would really 
be nice to have just one log to look at.

-- 
Paul Keusemann			                      pkeusem at visi.com
4266 Joppa Court		                      (952) 894-7805
Savage, MN  55378

More information about the freebsd-net mailing list