Date: Fri, 11 Dec 2009 14:23:26 -0500 From: Mike Tancsa <mike@sentex.net> To: jon.otterholm@ide.resurscentrum.se, <freebsd-net@freebsd.org> Subject: Re: Racoon site-to site Message-ID: <200912111923.nBBJNLk3072715@lava.sentex.ca> In-Reply-To: <20091211163343.GE2296@verio.net> References: <C747E9B6.31D29%jon.otterholm@ide.resurscentrum.se> <20091211163343.GE2296@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 11:33 AM 12/11/2009, David DeSimone wrote:
>Jon Otterholm <jon.otterholm@ide.resurscentrum.se> wrote:
> >
> > If I restart racoon or wait approximately 30 min the connection is
> > re-established.
>
>Since this is approximately =C2=BDof the phase 2 lifetime, you are probably
>running into lifetime negotiation issues, or PFS issues.
>
> > What would be the obvious way to debug this? Any suggestions on what
> > to tweak appreciated.
>
>I would turn up the debugging on racoon to get more information around
>the time that the tunnel fails.
>
> > sainfo (address 192.168.1.0/24 any address 192.168.100.0/24 any)
> > {
> > pfs_group 1;
> > lifetime time 3600 sec;
> > encryption_algorithm des;
> > authentication_algorithm hmac_md5,hmac_sha1;
> > compression_algorithm deflate;
> > }
>
>My hunch is that you have a PFS mismatch, so that the first tunnel
>negotiates, but the second SA negotiation fails, then the third
>succeeds, etc.
You might also want to turn on DPD (dead peer=20
detection) in ipsectools if you dont already have=20
it on both sides. Are you really using des for=20
the crypto ? Also, when the session is=20
negotiated, take a look at the output of
setkey -D
and see what was actually negotiated and post it=20
here (just make sure you get rid of the info on the E and A lines.
e.g.
1.1.1.2 2.2.2.2
esp mode=3Dtunnel spi=3D125444787(0x077a22b3)=
reqid=3D16416(0x00004020)
E: 3des-cbc 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b
A: hmac-sha1 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
ie. mask out the 5cfdbabb and 770cdd7b values=20
before posting as thats your crypto :)
Also, when things "jam up", try instead,
racoonctl vpn-disconnect <remote peer's IP>
and you wont have to restart things.
Also, what does
sysctl net.key.preferred_oldsa
show ?
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200912111923.nBBJNLk3072715>