Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 8 Jan 2005 02:53:41 +1100
From:      "Chris Martin" <outsidefactor@iinet.net.au>
To:        <questions@freebsd.org>
Subject:   gif interface with IPSec spontaneously stopping working
Message-ID:  <20050107155355.D77EB43D2F@mx1.FreeBSD.org>
next in thread | raw e-mail | index | archive | help 
I have to machines on a community wireless network with static IP addresses.
These machines are used to form a VPN over the CWN, providing a secure
routed path between two private networks. To secure the link I am using gif
interfaces at each end to form the tunnel, and then we are using IPsec with
a pre-shared key.

This link seems very stable for a couple of days, but then it will just stop
without any warning or errors. When I do a tcp dump at the physical
interface (not the virtual gif interface) I see the ISAKMP messages being
exchanged between the racoon daemons on each box:

02:20:20.948965 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase 1 I
agg: [|sa]
02:20:20.966082 10.192.9.33.isakmp > 10.192.8.1.isakmp: isakmp: phase 1 R
agg: [|sa]
02:20:21.036640 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase 1 I
agg:
    (hash: len=20)
02:20:21.065342 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase
2/others I oakley-quick[E]: [encrypted hash]
02:20:21.069884 10.192.9.33.isakmp > 10.192.8.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [encrypted hash]
02:20:21.077303 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase
2/others I oakley-quick[E]: [encrypted hash]

But then the data doesn't start to flow. If I go and destroy the gif
interface and then re-create it with the same settings it comes back
straight away, and I see the exact same pattern of isakmp packets. 

Can anyone suggest what could be wrong? The machines are running 5.2.1 p9
and p11(I am building the world and kernel for 5.3 on each box now), but
assuming an upgrade to 5.3 doesn't resolve the issue, where can I start with
the investigation to find why the interface is dropping out? Is there a way
to get error logging or diagnostics out of gif interfaces? Does it sound
more like an interface or IPsec issue?

I hope someone can help!

Thanks,

Chris Martin

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050107155355.D77EB43D2F>