Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Dec 2009 12:21:10 +0100
From:      Jon Otterholm <jon.otterholm@ide.resurscentrum.se>
To:        <freebsd-net@freebsd.org>
Subject:   Racoon site-to site
Message-ID:  <C747E9B6.31D29%jon.otterholm@ide.resurscentrum.se>
next in thread | raw e-mail | index | archive | help 
I have a site-to-site vpn between these two:

1. FreeBSD 7.2-RELEASE-p4, racoon, ipsec-tools-0.7.3

2. Symantec VPN 100, (also known as "Nexland Pro 800")

I have intermittent connection problems between these two and I can't seem
to identify what the problem is. I realize the complexity and challenge in
getting two different ipsec-boxes talking to each other but I thought I
would have a go before I replace the Symantec-box. If I restart racoon or
wait approximately 30 min the connection is re-established.

What would be the obvious way to debug this? Any suggestions on what to
tweak appreciated. 

//Jon

Info:

    Keying: IKE PSK

Phase1:
    encryption: DES
    Authentication: MD5
    SA Lifetime: 28800 seconds

Phase2:
    Encryption: DES
    Authentication: MD5
    SA Lifetime: 3600 seconds

racoon.conf:

path    pre_shared_key  "/usr/local/etc/racoon/psk.txt";
log     info;

padding # options are not to be changed
{
        maximum_length  20;
        randomize       off;
        strict_check    off;
        exclusive_tail  off;
}

timer
{
        counter         5;
        interval        10 sec;
        persend         1;
        phase1          30 sec;
        phase2          15 sec;
}

listen
{
        isakmp          local.ip.address [500];
}

remote  re.mote.ip.address [500]
{
        exchange_mode   aggressive,main;
        doi             ipsec_doi;
        situation       identity_only;
        my_identifier   address local.ip.address;
        peers_identifier        address re.mote.ip.address;
    initial_contact on;
        lifetime        time 8 hour;
        passive         off;
        proposal_check  obey;
        generate_policy off;

                        proposal {
                                encryption_algorithm    des;
                                hash_algorithm          md5;
                                authentication_method   pre_shared_key;
                                lifetime time           30 sec;
                                dh_group                1;
                        }
}

sainfo  (address 192.168.1.0/24 any address 192.168.100.0/24 any)
{
        pfs_group       1;
        lifetime        time    3600 sec;
        encryption_algorithm    des;
        authentication_algorithm        hmac_md5,hmac_sha1;
        compression_algorithm   deflate;
}

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C747E9B6.31D29%jon.otterholm>