From owner-freebsd-questions@FreeBSD.ORG Tue Sep 6 01:52:57 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B986D106564A for ; Tue, 6 Sep 2011 01:52:57 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 7AC5A8FC12 for ; Tue, 6 Sep 2011 01:52:57 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.4/8.14.4) with ESMTP id p861qrWD051495; Mon, 5 Sep 2011 21:52:54 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <4E657CEA.7080300@sentex.net> Date: Mon, 05 Sep 2011 21:52:42 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Mikhail Goriachev References: <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net> In-Reply-To: <8d457de47ed92550a511265436c183f9.squirrel@www.vap.navalradio.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: freebsd-questions@freebsd.org Subject: Re: IPsec phase 1 and 2 negotiation in an infinite loop. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Sep 2011 01:52:57 -0000 On 9/5/2011 8:06 PM, Mikhail Goriachev wrote: > Hi, > > Can anyone please comment/shed some light/give hints on the following?: > > I've got a VPN cranking between 8.2-RELEASE-p2 (my end) and an unknown > appliance (the other party doesn't want to disclose specs). Everything > works just fine and I had a stable and fully established connection for 4 > months without a problem. However, today the tunnel went down. > > I'm using FreeBSD's IPsec and ipsec-tools-0.8.0_2 (racoon). Everything's > up to date. The thing is, according to tcpdump, it seems that both > machines are trying to get beyond phases 1 and 2 in an infinite loop: > > > 00:00:04.024146 00:11:22:33:44:55 > 55:44:33:22:11:00, ethertype IPv4 > (0x0800), length 378: 1.2.3.4.5.500 > 5.4.3.2.1.500: isakmp: phase 1 > I ident > 00:00:01.800582 55:44:33:22:11:00 > 00:11:22:33:44:55, ethertype IPv4 > (0x0800), length 126: 5.4.3.2.1.500 > 1.2.3.4.5.500: isakmp: phase 1 > R ident > > Configuration files and logs are available on request. post a dozen lines of tcpdump -s0 -vvvv -ni port 500 As well as the racoon logs and config as well as setkey -DP ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/