Date: Tue, 15 Dec 2009 08:50:24 +0100 From: Jon Otterholm <jon.otterholm@ide.resurscentrum.se> To: Mike Tancsa <mike@sentex.net>, <freebsd-net@freebsd.org> Subject: Re: Racoon site-to site Message-ID: <C74CFE50.31FA9%jon.otterholm@ide.resurscentrum.se> In-Reply-To: <200912111923.nBBJNLk3072715@lava.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2009-12-11 20.23, "Mike Tancsa" <mike@sentex.net> wrote:
> At 11:33 AM 12/11/2009, David DeSimone wrote:
>> Jon Otterholm <jon.otterholm@ide.resurscentrum.se> wrote:
>>>=20
>>> If I restart racoon or wait approximately 30 min the connection is
>>> re-established.
>>=20
>> Since this is approximately =C2=BDof the phase 2 lifetime, you are probably
>> running into lifetime negotiation issues, or PFS issues.
>>=20
>>> What would be the obvious way to debug this? Any suggestions on what
>>> to tweak appreciated.
>>=20
>> I would turn up the debugging on racoon to get more information around
>> the time that the tunnel fails.
>>=20
>>> sainfo (address 192.168.1.0/24 any address 192.168.100.0/24 any)
>>> {
>>> pfs_group 1;
>>> lifetime time 3600 sec;
>>> encryption_algorithm des;
>>> authentication_algorithm hmac_md5,hmac_sha1;
>>> compression_algorithm deflate;
>>> }
>>=20
>> My hunch is that you have a PFS mismatch, so that the first tunnel
>> negotiates, but the second SA negotiation fails, then the third
>> succeeds, etc.
>=20
>=20
> You might also want to turn on DPD (dead peer
> detection) in ipsectools if you dont already have
> it on both sides. Are you really using des for
> the crypto ? Also, when the session is
> negotiated, take a look at the output of
> setkey -D
> and see what was actually negotiated and post it
> here (just make sure you get rid of the info on the E and A lines.
>=20
> e.g.
> 1.1.1.2 2.2.2.2
> esp mode=3Dtunnel spi=3D125444787(0x077a22b3) reqid=3D16416(0x00004020=
)
> E: 3des-cbc 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd=
7b
> A: hmac-sha1 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
>=20
> ie. mask out the 5cfdbabb and 770cdd7b values
> before posting as thats your crypto :)
>=20
>=20
Here is output from setkey -D when we lost connection:
localip remoteip
esp mode=3Dtunnel spi=3D989823717(0x3aff82e5) reqid=3D0(0x00000000)
E: des-cbc x x
A: hmac-md5 x x x x
seq=3D0x000009ac replay=3D4 flags=3D0x00000000 state=3Dmature
created: Dec 15 07:57:41 2009 current: Dec 15 08:26:04 2009
diff: 1703(s) hard: 3600(s) soft: 2880(s)
last: Dec 15 08:26:03 2009 hard: 0(s) soft: 0(s)
current: 400400(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2476 hard: 0 soft: 0
sadb_seq=3D1 pid=3D23175 refcnt=3D2
remoteip remoteip
esp mode=3Dtunnel spi=3D117094840(0x06fab9b8) reqid=3D0(0x00000000)
E: des-cbc x x
A: hmac-md5 x x x x
seq=3D0x00000b73 replay=3D4 flags=3D0x00000000 state=3Dmature
created: Dec 15 07:57:41 2009 current: Dec 15 08:26:04 2009
diff: 1703(s) hard: 3600(s) soft: 2880(s)
last: Dec 15 08:25:37 2009 hard: 0(s) soft: 0(s)
current: 2960978(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2931 hard: 0 soft: 0
sadb_seq=3D0 pid=3D23175 refcnt=3D1
//Jon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C74CFE50.31FA9%jon.otterholm>