Racoon site-to site
    Jon Otterholm 
    jon.otterholm at ide.resurscentrum.se
       
    Fri Dec 11 11:16:50 PST 2009
    
    
  
11 dec 2009 kl. 17.34 skrev "David DeSimone" <fox at verio.net>:
> Jon Otterholm <jon.otterholm at ide.resurscentrum.se> wrote:
>>
>> If I restart racoon or wait approximately 30 min the connection is
>> re-established.
>
> Since this is approximately ½of the phase 2 lifetime, you are proba 
> bly
> running into lifetime negotiation issues, or PFS issues.
>
>> What would be the obvious way to debug this?  Any suggestions on what
>> to tweak appreciated.
>
> I would turn up the debugging on racoon to get more information around
> the time that the tunnel fails.
>
>> sainfo  (address 192.168.1.0/24 any address 192.168.100.0/24 any)
>> {
>>    pfs_group       1;
>>    lifetime        time    3600 sec;
>>    encryption_algorithm    des;
>>    authentication_algorithm        hmac_md5,hmac_sha1;
>>    compression_algorithm   deflate;
>> }
>
> My hunch is that you have a PFS mismatch, so that the first tunnel
> negotiates, but the second SA negotiation fails, then the third
> succeeds, etc.
>
>
But wood it not fail more offen then? I have set up a cronjob to ping  
a server on the private Networks from the bad-side every 2 minutes and  
somethimes it works for days without a single failure.
What debuglevel would be suitable?
  
  
    
    
More information about the freebsd-net
mailing list