From owner-freebsd-questions  Fri Sep  6 14:55:58 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E057C37B400
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 14:55:52 -0700 (PDT)
Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 25B9743E3B
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 14:55:52 -0700 (PDT)
	(envelope-from tillman@seekingfire.com)
Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211])
	by mail.seekingfire.com (Postfix) with ESMTP
	id 534BE1CF; Fri,  6 Sep 2002 15:55:51 -0600 (CST)
Received: (from tillman@localhost)
	by blues.seekingfire.prv (8.11.6/8.11.6) id g86Lu5a15414;
	Fri, 6 Sep 2002 15:56:05 -0600
Date: Fri, 6 Sep 2002 15:56:04 -0600
From: Tillman Hodgson <tillman@seekingfire.com>
To: Dru <dlavigne6@cogeco.ca>
Cc: Mike Tancsa <mike@sentex.net>, questions@FreeBSD.ORG
Subject: Re: IPSEC & routing w/o gif
Message-ID: <20020906155604.A15339@seekingfire.com>
References: <20020906132649.A15029@seekingfire.com> <20020906163002.B164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020906163002.B164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Fri, Sep 06, 2002 at 04:33:54PM -0400
X-Urban-Legend: There is lots of hidden information in headers
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Sep 06, 2002 at 04:33:54PM -0400, Dru wrote:
> Hi Tillman,
> 
> It is odd that there are 4 entries; you should only have 4 when using both
> ESP and AH as there should be one per direction per protocol (ESP or AH).
> How many SAs are on the FreeSwan box?
> 
> Are you absoutely sure both lifetimes are the same on both boxes? I've
> been known to forget before that vendors sometimes think in seconds, minutes,
> or hours with very little consistency :)

Absolutely. Here's the relevent sections of the config files:

KAME:

remote anonymous
{
	exchange_mode main;
	lifetime time 52 min;
	proposal_check obey;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}

sainfo anonymous
{
	pfs_group 2;
	lifetime time 30 min;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1,hmac_md5;
	compression_algorithm deflate ;
}

FreeS/WAN:

	ikelifetime=52m
	keylife=30m

This is the only tunnel policy on the box:

[root@coyote root]# setkey -DP
192.168.31.0/24[any] 192.168.23.0/24[any] any
        in ipsec
        esp/tunnel/24.72.31.206-24.72.10.212/require
        spid=24 seq=1 pid=82715
        refcnt=1
192.168.23.0/24[any] 192.168.31.0/24[any] any
        out ipsec
        esp/tunnel/24.72.10.212-24.72.31.206/require
        spid=23 seq=0 pid=82715
        refcnt=1

I've noticed that it goes stale after exactly one minute, which doesn't
correspond to *either* timeout value.

I've also seen another type of error message which might be of interest.
Here's what the logs shows from racoon startup to tunnel going stale:

2002-09-06 14:55:40: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for 24.72.31.206 queued due to no phase1 found.
2002-09-06 14:55:40: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 24.72.10.212[500]<=>24.72.31.206[500]
2002-09-06 14:55:40: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
2002-09-06 14:56:26: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 24.72.31.206->24.72.10.212
2002-09-06 14:56:26: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler.
2002-09-06 14:57:40: ERROR: isakmp.c:1434:isakmp_ph1resend(): phase1 negotiation failed due to time up. b22b8ad0b7593772:0000000000000000
2002-09-06 15:02:29: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for 24.72.31.206 queued due to no phase1 found.
2002-09-06 15:02:29: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 24.72.10.212[500]<=>24.72.31.206[500]
2002-09-06 15:02:29: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
2002-09-06 15:03:15: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 24.72.31.206->24.72.10.212
2002-09-06 15:03:15: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler.
2002-09-06 15:03:32: INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2002-09-06 15:04:18: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 24.72.31.206->24.72.10.212
2002-09-06 15:04:18: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler.
2002-09-06 15:04:28: INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2002-09-06 15:04:29: ERROR: isakmp.c:1434:isakmp_ph1resend(): phase1 negotiation failed due to time up. 8e666e187efa8f37:0000000000000000
2002-09-06 15:04:47: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received.
2002-09-06 15:04:54: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: 24.72.10.212[500]<=>24.72.31.206[500]
2002-09-06 15:04:54: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
2002-09-06 15:04:55: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 24.72.10.212[500]-24.72.31.206[500] spi:421136cfbbd24938:74331a2ad95c002f
2002-09-06 15:04:55: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: 24.72.10.212[0]<=>24.72.31.206[0]
2002-09-06 15:04:56: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 24.72.10.212[0]<=>24.72.31.206[0]
2002-09-06 15:04:56: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=253430034(0xf1b0912)
2002-09-06 15:04:56: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=3078543287(0xb77ed7b7)
2002-09-06 15:04:57: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=230187753(0xdb862e9)
2002-09-06 15:04:57: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=3078543288(0xb77ed7b8)
2002-09-06 15:28:57: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=3078543287(0xb77ed7b7)
2002-09-06 15:28:57: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=253430034(0xf1b0912)

Thanks for your help,

- Tillman

-- 
"When you are inspired by some great purpose, some extraordinary
project, all your thoughts break their bounds. Dormant forces,
faculties and talents become alive, and you discover yourself to
be a greater person by far than you ever dreamed yourself to be."
	- Patanjali

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message