IPsec phase 1 and 2 negotiation in an infinite loop.
Mike Tancsa
mike at sentex.net
Tue Sep 6 01:52:57 UTC 2011
On 9/5/2011 8:06 PM, Mikhail Goriachev wrote:
> Hi,
>
> Can anyone please comment/shed some light/give hints on the following?:
>
> I've got a VPN cranking between 8.2-RELEASE-p2 (my end) and an unknown
> appliance (the other party doesn't want to disclose specs). Everything
> works just fine and I had a stable and fully established connection for 4
> months without a problem. However, today the tunnel went down.
>
> I'm using FreeBSD's IPsec and ipsec-tools-0.8.0_2 (racoon). Everything's
> up to date. The thing is, according to tcpdump, it seems that both
> machines are trying to get beyond phases 1 and 2 in an infinite loop:
>
>
> 00:00:04.024146 00:11:22:33:44:55 > 55:44:33:22:11:00, ethertype IPv4
> (0x0800), length 378: 1.2.3.4.5.500 > 5.4.3.2.1.500: isakmp: phase 1
> I ident
> 00:00:01.800582 55:44:33:22:11:00 > 00:11:22:33:44:55, ethertype IPv4
> (0x0800), length 126: 5.4.3.2.1.500 > 1.2.3.4.5.500: isakmp: phase 1
> R ident
>
> Configuration files and logs are available on request.
post a dozen lines of
tcpdump -s0 -vvvv -ni <external int> port 500
As well as the racoon logs and config as well as setkey -DP
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-questions
mailing list