Date: Wed, 1 Aug 2007 08:04:21 -0400 From: "Isaac Kohen" <ik1024@gmail.com> To: freebsd-net@freebsd.org Subject: Re: IPSEC connection drops and doesn't recover Message-ID: <7feb82f40708010504y75ab3cc9i4a31b41a765c0af4@mail.gmail.com> In-Reply-To: <7feb82f40707311129n66c149c0k6f106acd6e7b8d5@mail.gmail.com> References: <7feb82f40707301752j2ccb235eof197fed852188bd5@mail.gmail.com> <20070731105332.GA1285@jayce.zen.inc> <7feb82f40707311129n66c149c0k6f106acd6e7b8d5@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I get these in dmesg-- does it mean anything?
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
IPv4 ESP input: no key association found for spi 94246771
Thanks very much for the input. Still no go, however. I've tried the
sysctl setting, specifying the same lifetime on both ends, and
switching all from main to aggressive mode. Some connections died
after ~5 hours.
I've also tried specifying proposal_check obey.
Any ideas?
On 7/31/07, VANHULLEBUS Yvan <vanhu_bsd@zeninc.net > wrote:
> > On Mon, Jul 30, 2007 at 08:52:25PM -0400, Isaac Kohen wrote:
> > > Hello,
> >
> > Hi.
> >
> >
> > > I'm running 6.2-REL. My kernel is compiled with IPSEC, IPSEC_ESP, and
> > > IPSEC_DEBUG. I've installed ipsec-tools 0.6.7.
> > [.....]
> > > net.key.preferred_oldsa: 0
> >
> > As Bjoern already said, you may resolve your problems by setting
> > net.key.preferred_oldsa=1, but I don't think that's your actual
> > problem (and setting it to 1 is usually a bad idea, except when you
> > have a peer that really requires it, usually an old and/or cheap
> > device).
> >
> >
> > [....]
> > > remote 69.119.56.96 {
> > > exchange_mode main;
> > > #doi ipsec_doi;
> > > #situation identity_only;
> > > my_identifier address 68.167.79.2;
> > > peers_identifier address 69.119.56.96;
> > > #verify_identifier on;
> > > nonce_size 16;
> > > #lifetime time 24 hour;
> >
> > Is lifetime really commented out in your config ???
> >
> >
> > [.....]
> > > Jul 30 20:42:09 cj racoon: DEBUG: get pfkey ACQUIRE message
> >
> > Ok, you get acquires from your kernel.
> >
> > [....]
> > > Jul 30 20:42:14 cj racoon: DEBUG: ignore the acquire because ph2 found
> >
> > That's because you got *lots* of acquires for the same peer.
> >
> >
> > > Jul 30 20:42:22 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to
> > > 69.119.56.96[500]
> > > Jul 30 20:42:22 cj racoon: DEBUG: sockname 68.167.79.2[500]
> > > Jul 30 20:42:22 cj racoon: DEBUG: send packet from 68.167.79.2[500]
> > > Jul 30 20:42:22 cj racoon: DEBUG: send packet to 69.119.56.96[500]
> > > Jul 30 20:42:22 cj racoon: DEBUG: 1 times of 100 bytes message will be sent
> > > to 69.119.56.96[500]
> > > Jul 30 20:42:22 cj racoon: DEBUG: 1313a61e 4a85f592 00000000 00000000
> > > 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001
> > > 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002
> > > 00000014 afcad713 68a1f1c9 6b8696fc 77570100
> > > Jul 30 20:42:22 cj racoon: DEBUG: resend phase1 packet
> > > 1313a61e4a85f592:0000000000000000
> >
> > Racoon tries to establish a new phase1....
> >
> > Wild guess:
> > You peer negociates the first time, and it works.
> > As you don't have lifetime specified, racoon just gets peer's
> > lifetime.
> >
> > When you phase1 expires, FreeBSD will be the first who wants to
> > negociate new SAs. When it will need to negociate an IsakmpSA,
> > negociation will fail, probably because the peers wants a lifetime in
> > it's proposal.
> >
> > Have a look at your whole debug, find the debugs when the first
> > negociation is done, and see what could make the negociation working
> > in one way but not in the other way.
> >
> >
> > If you don't find a problem, please send your whole debug (warning,
> > may be quite big, and will include sensitive informations if you logs
> > DEBUG2) to ipsec-tools-users@lists.sourceforge.net, as your problem
> > seems to really be a racoon's config problem.
> >
> >
> >
> > Yvan.
> >
> > --
> > NETASQ
> > http://www.netasq.com
> > _______________________________________________
> > freebsd-net@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-net
> > To unsubscribe, send any mail to " freebsd-net-unsubscribe@freebsd.org"
> >
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7feb82f40708010504y75ab3cc9i4a31b41a765c0af4>