Re: Racoon site-to site

Fri, 11 Dec 2009 11:23:45 -0800 

At 11:33 AM 12/11/2009, David DeSimone wrote:

Jon Otterholm <jon.otterh...@ide.resurscentrum.se> wrote:
>
> If I restart racoon or wait approximately 30 min the connection is
> re-established.

Since this is approximately ½of the phase 2 lifetime, you are probably
running into lifetime negotiation issues, or PFS issues.

> What would be the obvious way to debug this?  Any suggestions on what
> to tweak appreciated.

I would turn up the debugging on racoon to get more information around
the time that the tunnel fails.

> sainfo  (address 192.168.1.0/24 any address 192.168.100.0/24 any)
> {
>     pfs_group       1;
>     lifetime        time    3600 sec;
>     encryption_algorithm    des;
>     authentication_algorithm        hmac_md5,hmac_sha1;
>     compression_algorithm   deflate;
> }

My hunch is that you have a PFS mismatch, so that the first tunnel
negotiates, but the second SA negotiation fails, then the third
succeeds, etc.
You might also want to turn on DPD (dead peer detection) in ipsectools if you dont already have it on both sides. Are you really using des for the crypto ? Also, when the session is negotiated, take a look at the output of 
setkey -D
and see what was actually negotiated and post it here (just make sure you get rid of the info on the E and A lines. 

e.g.
1.1.1.2 2.2.2.2
        esp mode=tunnel spi=125444787(0x077a22b3) reqid=16416(0x00004020)
        E: 3des-cbc  770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b
        A: hmac-sha1  5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
ie. mask out the 5cfdbabb and 770cdd7b values before posting as thats your crypto :) 



  Also, when things "jam up", try instead,

racoonctl vpn-disconnect <remote peer's IP>

and you wont have to restart things.

Also, what does
sysctl net.key.preferred_oldsa

show ?

        ---Mike


--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            m...@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to