gif interface with IPSec spontaneously stopping working

Chris Martin outsidefactor at
Fri Jan 7 07:53:57 PST 2005

I have to machines on a community wireless network with static IP addresses.
These machines are used to form a VPN over the CWN, providing a secure
routed path between two private networks. To secure the link I am using gif
interfaces at each end to form the tunnel, and then we are using IPsec with
a pre-shared key.

This link seems very stable for a couple of days, but then it will just stop
without any warning or errors. When I do a tcp dump at the physical
interface (not the virtual gif interface) I see the ISAKMP messages being
exchanged between the racoon daemons on each box:

02:20:20.948965 > isakmp: phase 1 I
agg: [|sa]
02:20:20.966082 > isakmp: phase 1 R
agg: [|sa]
02:20:21.036640 > isakmp: phase 1 I
    (hash: len=20)
02:20:21.065342 > isakmp: phase
2/others I oakley-quick[E]: [encrypted hash]
02:20:21.069884 > isakmp: phase
2/others R oakley-quick[E]: [encrypted hash]
02:20:21.077303 > isakmp: phase
2/others I oakley-quick[E]: [encrypted hash]

But then the data doesn't start to flow. If I go and destroy the gif
interface and then re-create it with the same settings it comes back
straight away, and I see the exact same pattern of isakmp packets. 

Can anyone suggest what could be wrong? The machines are running 5.2.1 p9
and p11(I am building the world and kernel for 5.3 on each box now), but
assuming an upgrade to 5.3 doesn't resolve the issue, where can I start with
the investigation to find why the interface is dropping out? Is there a way
to get error logging or diagnostics out of gif interfaces? Does it sound
more like an interface or IPsec issue?

I hope someone can help!


Chris Martin

More information about the freebsd-questions mailing list