At 02:50 AM 12/15/2009, Jon Otterholm wrote:
On 2009-12-11 20.23, "Mike Tancsa" <m...@sentex.net> wrote:
>
>
> You might also want to turn on DPD (dead peer
> detection) in ipsectools if you dont already have
> it on both sides. Are you really using des for
> the crypto ? Also, when the session is
> negotiated, take a look at the output of
> setkey -D
> and see what was actually negotiated and post it
> here (just make sure you get rid of the info on the E and A lines.
>
> e.g.
> 1.1.1.2 2.2.2.2
> esp mode=tunnel spi=125444787(0x077a22b3) reqid=16416(0x00004020)
> E: 3des-cbc 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b
> A: hmac-sha1 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
>
> ie. mask out the 5cfdbabb and 770cdd7b values
> before posting as thats your crypto :)
>
>
Here is output from setkey -D when we lost connection:
localip remoteip
esp mode=tunnel spi=989823717(0x3aff82e5) reqid=0(0x00000000)
E: des-cbc x x
A: hmac-md5 x x x x
seq=0x000009ac replay=4 flags=0x00000000 state=mature
created: Dec 15 07:57:41 2009 current: Dec 15 08:26:04 2009
diff: 1703(s) hard: 3600(s) soft: 2880(s)
last: Dec 15 08:26:03 2009 hard: 0(s) soft: 0(s)
current: 400400(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2476 hard: 0 soft: 0
sadb_seq=1 pid=23175 refcnt=2
remoteip remoteip
esp mode=tunnel spi=117094840(0x06fab9b8) reqid=0(0x00000000)
E: des-cbc x x
A: hmac-md5 x x x x
seq=0x00000b73 replay=4 flags=0x00000000 state=mature
created: Dec 15 07:57:41 2009 current: Dec 15 08:26:04 2009
diff: 1703(s) hard: 3600(s) soft: 2880(s)
last: Dec 15 08:25:37 2009 hard: 0(s) soft: 0(s)
current: 2960978(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 2931 hard: 0 soft: 0
sadb_seq=0 pid=23175 refcnt=1
The state looks good (mature). It would be useful to see what the
other side thinks is going on. 3 different things to try when its down.
racoonctl vpn-disconnect remoteip
... where remoteip is the public IP of the endpoint and then generate
some traffic and see if things are re-established.
setkey -F
to flush the associations on this side... and again, generate some traffic.
Another thing to try is
sysctl -w net.key.preferred_oldsa=0
setkey -F
restart racoon
and then see if the hangs still happen. But you should try and get
some debugging info from the other side to see what state things are
in when the tunnel fails. In general, I have found setting
net.key.preferred_oldsa=0 important when inter-operating with other
platforms. Also, check and make sure you have dpd compiled into
ipsectools and make sure enabled.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
