At 02:50 AM 12/15/2009, Jon Otterholm wrote:

On 2009-12-11 20.23, "Mike Tancsa" <m...@sentex.net> wrote:
>
>
> You might also want to turn on DPD (dead peer
> detection) in ipsectools if you dont already have
> it on both sides.  Are you really using des for
> the crypto ? Also, when the session is
> negotiated, take a look at the output of
> setkey -D
> and see what was actually negotiated and post it
> here (just make sure you get rid of the info on the E and A lines.
>
> e.g.
> 1.1.1.2 2.2.2.2
>          esp mode=tunnel spi=125444787(0x077a22b3) reqid=16416(0x00004020)
>          E: 3des-cbc  770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b
>          A: hmac-sha1  5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
>
> ie. mask out the 5cfdbabb and 770cdd7b values
> before posting as thats your crypto :)
>
>

Here is output from setkey -D when we lost connection:

localip remoteip
        esp mode=tunnel spi=989823717(0x3aff82e5) reqid=0(0x00000000)
        E: des-cbc  x x
        A: hmac-md5  x x x x
        seq=0x000009ac replay=4 flags=0x00000000 state=mature
        created: Dec 15 07:57:41 2009   current: Dec 15 08:26:04 2009
        diff: 1703(s)   hard: 3600(s)   soft: 2880(s)
        last: Dec 15 08:26:03 2009      hard: 0(s)      soft: 0(s)
        current: 400400(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 2476 hard: 0 soft: 0
        sadb_seq=1 pid=23175 refcnt=2
remoteip remoteip
        esp mode=tunnel spi=117094840(0x06fab9b8) reqid=0(0x00000000)
        E: des-cbc  x x
        A: hmac-md5  x x x x
        seq=0x00000b73 replay=4 flags=0x00000000 state=mature
        created: Dec 15 07:57:41 2009   current: Dec 15 08:26:04 2009
        diff: 1703(s)   hard: 3600(s)   soft: 2880(s)
        last: Dec 15 08:25:37 2009      hard: 0(s)      soft: 0(s)
        current: 2960978(bytes) hard: 0(bytes)  soft: 0(bytes)
        allocated: 2931 hard: 0 soft: 0
        sadb_seq=0 pid=23175 refcnt=1


The state looks good (mature). It would be useful to see what the other side thinks is going on. 3 different things to try when its down.

racoonctl vpn-disconnect remoteip
... where remoteip is the public IP of the endpoint and then generate some traffic and see if things are re-established.

setkey -F

to flush the associations on this side... and again, generate some traffic.


Another thing to try is
sysctl -w net.key.preferred_oldsa=0
setkey -F
restart racoon
and then see if the hangs still happen. But you should try and get some debugging info from the other side to see what state things are in when the tunnel fails. In general, I have found setting net.key.preferred_oldsa=0 important when inter-operating with other platforms. Also, check and make sure you have dpd compiled into ipsectools and make sure enabled.

        ---Mike




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            m...@sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to