Date: Fri, 6 Sep 2002 16:33:54 -0400 (EDT) From: Dru <dlavigne6@cogeco.ca> To: Tillman Hodgson <tillman@seekingfire.com> Cc: Mike Tancsa <mike@sentex.net>, <questions@FreeBSD.ORG> Subject: Re: IPSEC & routing w/o gif Message-ID: <20020906163002.B164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> In-Reply-To: <20020906132649.A15029@seekingfire.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 6 Sep 2002, Tillman Hodgson wrote: > On Thu, Sep 05, 2002 at 11:28:57PM -0600, Tillman Hodgson wrote: > > On Fri, Sep 06, 2002 at 01:04:51AM -0400, Mike Tancsa wrote: > > > Have a look at the racoon.conf options, there might be a setting there I > > > think. But you might want to post the question and your config to the KAME > > > list. But I do remember reading about this on the LINUX FreeSwan page, so > > > it might be some LINUX issue. When the tunnel goes stale like that, what > > > does setkey -D show ? > > > > It looks like this: > > > > [root@coyote root]# setkey -D > > 24.72.10.212 24.72.31.206 > > esp mode=tunnel spi=1426857889(0x550c1fa1) reqid=0(0x00000000) > > E: 3des-cbc 4f4e94e4 4732f5e3 ba9e7caa 67077d31 b2789394 83558afd > > A: hmac-md5 7bec6d6e 85cca86b 2aaae570 7e5e2db2 > > seq=0x00000002 replay=4 flags=0x00000000 state=mature > > created: Sep 5 23:11:44 2002 current: Sep 5 23:22:06 2002 > > diff: 622(s) hard: 1800(s) soft: 1440(s) > > last: Sep 5 23:22:02 2002 hard: 0(s) soft: 0(s) > > current: 272(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 2 hard: 0 soft: 0 > > sadb_seq=1 pid=75928 refcnt=2 > > 24.72.31.206 24.72.10.212 > > esp mode=tunnel spi=240298505(0x0e52aa09) reqid=0(0x00000000) > > E: 3des-cbc 70535711 3c3cf319 9f950f62 f3722dd6 58041014 8127e8bf > > A: hmac-md5 61caa1b4 4322665c fa29b556 78deaf4d > > seq=0x00000000 replay=4 flags=0x00000000 state=mature > > created: Sep 5 23:11:44 2002 current: Sep 5 23:22:06 2002 > > diff: 622(s) hard: 1800(s) soft: 1440(s) > > last: hard: 0(s) soft: 0(s) > > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > > allocated: 0 hard: 0 soft: 0 > > sadb_seq=0 pid=75928 refcnt=1 > > > > Oddly, when it's working, I seem to recall that there's *four* entries. > > I'll have to check that in the morning when I can poke the fellow > > running the other end to initiate some traffic :-) > > And now I've got those four entries to show: > > [root@coyote racoon]# setkey -D > 24.72.10.212 24.72.31.206 > esp mode=tunnel spi=1397418402(0x534ae9a2) reqid=0(0x00000000) > E: 3des-cbc 65a00b32 cd42f461 11de1d80 1f6d9d50 e4cd3cc7 560ac18d > A: hmac-md5 dfebdc30 e8b3bea8 b2ff9c51 8c20b32d > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Sep 6 13:20:26 2002 current: Sep 6 13:23:37 2002 > diff: 191(s) hard: 1800(s) soft: 1440(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=3 pid=81547 refcnt=1 > 24.72.10.212 24.72.31.206 > esp mode=tunnel spi=1397418403(0x534ae9a3) reqid=0(0x00000000) > E: 3des-cbc 76f68dcd c222d443 a64fbf64 ca3544cb 012547ca cc4971c2 > A: hmac-sha1 a5fc8187 fd1ae40c 01005514 a2f9a8c4 135703af > seq=0x00000049 replay=4 flags=0x00000000 state=mature > created: Sep 6 13:20:25 2002 current: Sep 6 13:23:37 2002 > diff: 192(s) hard: 360000(s) soft: 288000(s) > last: Sep 6 13:21:39 2002 hard: 0(s) soft: 0(s) > current: 9928(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 73 hard: 0 soft: 0 > sadb_seq=2 pid=81547 refcnt=2 > 24.72.31.206 24.72.10.212 > esp mode=tunnel spi=252304984(0x0f09de58) reqid=0(0x00000000) > E: 3des-cbc 61864f7a 10defe4e 7f1820db f96a4f89 d7351f32 1ee67998 > A: hmac-md5 21b12231 e4651742 ed236562 14f75830 > seq=0x00000000 replay=4 flags=0x00000000 state=mature > created: Sep 6 13:20:26 2002 current: Sep 6 13:23:37 2002 > diff: 191(s) hard: 1800(s) soft: 1440(s) > last: hard: 0(s) soft: 0(s) > current: 0(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 0 hard: 0 soft: 0 > sadb_seq=1 pid=81547 refcnt=1 > 24.72.31.206 24.72.10.212 > esp mode=tunnel spi=130393606(0x07c5a606) reqid=0(0x00000000) > E: 3des-cbc 298ebc7a 58f18325 e8f4fa3c b6cb5512 94cb8dca 436b7ee4 > A: hmac-sha1 0740f3b6 8296606d 6f9ae9df 56239db5 c5f392fb > seq=0x0000000b replay=4 flags=0x00000000 state=mature > created: Sep 6 13:20:25 2002 current: Sep 6 13:23:37 2002 > diff: 192(s) hard: 360000(s) soft: 288000(s) > last: Sep 6 13:21:39 2002 hard: 0(s) soft: 0(s) > current: 924(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 11 hard: 0 soft: 0 > sadb_seq=0 pid=81547 refcnt=1 > > > Right around the time that my conenction goes stale, I get this: > > 2002-09-06 13:05:42: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired 24.72.10.212[500]-24.72.31.206[500] spi:cd30d5a5da6a70d0:e8f9170a412ffe57 > 2002-09-06 13:05:43: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted 24.72.10.212[500]-24.72.31.206[500] spi:cd30d5a5da6a70d0:e8f9170a412ffe57 > 2002-09-06 13:05:43: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received. > 2002-09-06 13:06:33: INFO: isakmp.c:1597:isakmp_ph2expire(): phase2 sa expired 24.72.10.212-24.72.31.206 > 2002-09-06 13:06:34: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received. > 2002-09-06 13:06:34: INFO: isakmp.c:1628:isakmp_ph2delete(): phase2 sa deleted 24.72.10.212-24.72.31.206 Hi Tillman, It is odd that there are 4 entries; you should only have 4 when using both ESP and AH as there should be one per direction per protocol (ESP or AH). How many SAs are on the FreeSwan box? Are you absoutely sure both lifetimes are the same on both boxes? I've been known to forget before that vendors sometimes think in seconds, minutes, or hours with very little consistency :) HTH, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020906163002.B164-100000>