Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 05 Sep 2011 21:52:42 -0400
From:      Mike Tancsa <mike@sentex.net>
To:        Mikhail Goriachev <mikhailg@webanoide.org>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: IPsec phase 1 and 2 negotiation in an infinite loop.
Message-ID:  <4E657CEA.7080300@sentex.net>
In-Reply-To: <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net>
References:  <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 9/5/2011 8:06 PM, Mikhail Goriachev wrote:
> Hi,
> 
> Can anyone please comment/shed some light/give hints on the following?:
> 
> I've got a VPN cranking between 8.2-RELEASE-p2 (my end) and an unknown
> appliance (the other party doesn't want to disclose specs). Everything
> works just fine and I had a stable and fully established connection for 4
> months without a problem. However, today the tunnel went down.
> 
> I'm using FreeBSD's IPsec and ipsec-tools-0.8.0_2 (racoon). Everything's
> up to date. The thing is, according to tcpdump, it seems that both
> machines are trying to get beyond phases 1 and 2 in an infinite loop:
> 
> 
> 00:00:04.024146 00:11:22:33:44:55 > 55:44:33:22:11:00, ethertype IPv4
> (0x0800), length 378: 1.2.3.4.5.500 > 5.4.3.2.1.500: isakmp: phase 1
> I ident
> 00:00:01.800582 55:44:33:22:11:00 > 00:11:22:33:44:55, ethertype IPv4
> (0x0800), length 126: 5.4.3.2.1.500 > 1.2.3.4.5.500: isakmp: phase 1
> R ident
> 
> Configuration files and logs are available on request.

post a dozen lines of

tcpdump -s0 -vvvv -ni <external int>  port 500


As well as the racoon logs and config as well as setkey -DP

	---Mike


-- 
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4E657CEA.7080300>