After a period of time the phase 1 goes awol and on this particular
connection to a cisco it does not try to renegotiate. However the other
cphase1's to two other racoon instances are never bothered. After the SA
expires, sometimes, racoon does not try to re-negotiate. If I do a
racoon-ctl reload-config then racoon will try to renegotiate. Sometimes it
is so bad I have to restart racoon. I can also see in the logs tons of
entries about timeout waiting for phase two because no phase 1 established,
and phase 1 packets were never sent. Anyone have some ideas?
path pre_shared_key "/etc/racoon/psk.txt";
#log debug;
remote xxx.xxx.xxx.xxx {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
remote yyy.yyy.yyy.yyy {
exchange_mode main,aggressive;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
remote zzz.zzz.zzz.zzz {
nat_traversal off;
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
#lifetime time 60 minutes;
dh_group 5;
}
#lifetime time 30 minutes;
#lifetime byte 5 MB;
#lifetime byte 4500 MB;
}
sainfo anonymous {
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
lifetime time 60 minutes;
#lifetime byte 4608000 KB;
#lifetime byte 4500 MB;
}
my spd database is fairly large, so in the interests of bevity I am going to
summarize here. They all look like this...
spdadd aaa.aaa.aaa.0/24 bbb.bbb.bbb.0/23 any -P out ipsec
esp/tunnel/xxx.xxx.xxx.xxx-yyy.yyy.yyy.yyy/unique;
spdadd bbb.bbb.bbb.0/23 aaa.aaa.aaa.0/24 any -P in ipsec
esp/tunnel/yyy.yyy.yyy.yyy-xxx.xxx.xxx.xxx/unique;
I am running this version of racoon, back ported from testing I think.
ii racoon
0.7-2 IPsec IKE keying daemon
-
Brian J. Schrock