Date: Fri, 6 Sep 2002 15:56:04 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: Dru <dlavigne6@cogeco.ca> Cc: Mike Tancsa <mike@sentex.net>, questions@FreeBSD.ORG Subject: Re: IPSEC & routing w/o gif Message-ID: <20020906155604.A15339@seekingfire.com> In-Reply-To: <20020906163002.B164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>; from dlavigne6@cogeco.ca on Fri, Sep 06, 2002 at 04:33:54PM -0400 References: <20020906132649.A15029@seekingfire.com> <20020906163002.B164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 06, 2002 at 04:33:54PM -0400, Dru wrote:
> Hi Tillman,
>
> It is odd that there are 4 entries; you should only have 4 when using both
> ESP and AH as there should be one per direction per protocol (ESP or AH).
> How many SAs are on the FreeSwan box?
>
> Are you absoutely sure both lifetimes are the same on both boxes? I've
> been known to forget before that vendors sometimes think in seconds, minutes,
> or hours with very little consistency :)
Absolutely. Here's the relevent sections of the config files:
KAME:
remote anonymous
{
exchange_mode main;
lifetime time 52 min;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 30 min;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate ;
}
FreeS/WAN:
ikelifetime=52m
keylife=30m
This is the only tunnel policy on the box:
[root@coyote root]# setkey -DP
192.168.31.0/24[any] 192.168.23.0/24[any] any
in ipsec
esp/tunnel/24.72.31.206-24.72.10.212/require
spid=24 seq=1 pid=82715
refcnt=1
192.168.23.0/24[any] 192.168.31.0/24[any] any
out ipsec
esp/tunnel/24.72.10.212-24.72.31.206/require
spid=23 seq=0 pid=82715
refcnt=1
I've noticed that it goes stale after exactly one minute, which doesn't
correspond to *either* timeout value.
I've also seen another type of error message which might be of interest.
Here's what the logs shows from racoon startup to tunnel going stale:
2002-09-06 14:55:40: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for 24.72.31.206 queued due to no phase1 found.
2002-09-06 14:55:40: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 24.72.10.212[500]<=>24.72.31.206[500]
2002-09-06 14:55:40: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
2002-09-06 14:56:26: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 24.72.31.206->24.72.10.212
2002-09-06 14:56:26: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler.
2002-09-06 14:57:40: ERROR: isakmp.c:1434:isakmp_ph1resend(): phase1 negotiation failed due to time up. b22b8ad0b7593772:0000000000000000
2002-09-06 15:02:29: INFO: isakmp.c:1681:isakmp_post_acquire(): IPsec-SA request for 24.72.31.206 queued due to no phase1 found.
2002-09-06 15:02:29: INFO: isakmp.c:795:isakmp_ph1begin_i(): initiate new phase 1 negotiation: 24.72.10.212[500]<=>24.72.31.206[500]
2002-09-06 15:02:29: INFO: isakmp.c:800:isakmp_ph1begin_i(): begin Identity Protection mode.
2002-09-06 15:03:15: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 24.72.31.206->24.72.10.212
2002-09-06 15:03:15: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler.
2002-09-06 15:03:32: INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2002-09-06 15:04:18: ERROR: isakmp.c:1773:isakmp_chkph1there(): phase2 negotiation failed due to time up waiting for phase1. ESP 24.72.31.206->24.72.10.212
2002-09-06 15:04:18: INFO: isakmp.c:1778:isakmp_chkph1there(): delete phase 2 handler.
2002-09-06 15:04:28: INFO: isakmp.c:1700:isakmp_post_acquire(): request for establishing IPsec-SA was queued due to no phase1 found.
2002-09-06 15:04:29: ERROR: isakmp.c:1434:isakmp_ph1resend(): phase1 negotiation failed due to time up. 8e666e187efa8f37:0000000000000000
2002-09-06 15:04:47: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received.
2002-09-06 15:04:54: INFO: isakmp.c:891:isakmp_ph1begin_r(): respond new phase 1 negotiation: 24.72.10.212[500]<=>24.72.31.206[500]
2002-09-06 15:04:54: INFO: isakmp.c:896:isakmp_ph1begin_r(): begin Identity Protection mode.
2002-09-06 15:04:55: INFO: isakmp.c:2409:log_ph1established(): ISAKMP-SA established 24.72.10.212[500]-24.72.31.206[500] spi:421136cfbbd24938:74331a2ad95c002f
2002-09-06 15:04:55: INFO: isakmp.c:1046:isakmp_ph2begin_r(): respond new phase 2 negotiation: 24.72.10.212[0]<=>24.72.31.206[0]
2002-09-06 15:04:56: INFO: isakmp.c:939:isakmp_ph2begin_i(): initiate new phase 2 negotiation: 24.72.10.212[0]<=>24.72.31.206[0]
2002-09-06 15:04:56: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=253430034(0xf1b0912)
2002-09-06 15:04:56: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=3078543287(0xb77ed7b7)
2002-09-06 15:04:57: INFO: pfkey.c:1107:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=230187753(0xdb862e9)
2002-09-06 15:04:57: INFO: pfkey.c:1319:pk_recvadd(): IPsec-SA established: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=3078543288(0xb77ed7b8)
2002-09-06 15:28:57: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 24.72.10.212->24.72.31.206 spi=3078543287(0xb77ed7b7)
2002-09-06 15:28:57: INFO: pfkey.c:1365:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel 24.72.31.206->24.72.10.212 spi=253430034(0xf1b0912)
Thanks for your help,
- Tillman
--
"When you are inspired by some great purpose, some extraordinary
project, all your thoughts break their bounds. Dormant forces,
faculties and talents become alive, and you discover yourself to
be a greater person by far than you ever dreamed yourself to be."
- Patanjali
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020906155604.A15339>