Racoon site-to site

Jon Otterholm jon.otterholm at ide.resurscentrum.se
Tue Dec 15 07:50:27 UTC 2009 

On 2009-12-11 20.23, "Mike Tancsa" <mike at sentex.net> wrote:

> At 11:33 AM 12/11/2009, David DeSimone wrote:
>> Jon Otterholm <jon.otterholm at ide.resurscentrum.se> wrote:
>>> 
>>> If I restart racoon or wait approximately 30 min the connection is
>>> re-established.
>> 
>> Since this is approximately ½of the phase 2 lifetime, you are probably
>> running into lifetime negotiation issues, or PFS issues.
>> 
>>> What would be the obvious way to debug this?  Any suggestions on what
>>> to tweak appreciated.
>> 
>> I would turn up the debugging on racoon to get more information around
>> the time that the tunnel fails.
>> 
>>> sainfo  (address 192.168.1.0/24 any address 192.168.100.0/24 any)
>>> {
>>>     pfs_group       1;
>>>     lifetime        time    3600 sec;
>>>     encryption_algorithm    des;
>>>     authentication_algorithm        hmac_md5,hmac_sha1;
>>>     compression_algorithm   deflate;
>>> }
>> 
>> My hunch is that you have a PFS mismatch, so that the first tunnel
>> negotiates, but the second SA negotiation fails, then the third
>> succeeds, etc.
> 
> 
> You might also want to turn on DPD (dead peer
> detection) in ipsectools if you dont already have
> it on both sides.  Are you really using des for
> the crypto ? Also, when the session is
> negotiated, take a look at the output of
> setkey -D
> and see what was actually negotiated and post it
> here (just make sure you get rid of the info on the E and A lines.
> 
> e.g.
> 1.1.1.2 2.2.2.2
>          esp mode=tunnel spi=125444787(0x077a22b3) reqid=16416(0x00004020)
>          E: 3des-cbc  770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b
>          A: hmac-sha1  5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb
> 
> ie. mask out the 5cfdbabb and 770cdd7b values
> before posting as thats your crypto :)
> 
> 

Here is output from setkey -D when we lost connection:

localip remoteip
        esp mode=tunnel spi=989823717(0x3aff82e5) reqid=0(0x00000000)
        E: des-cbc  x x
        A: hmac-md5  x x x x
        seq=0x000009ac replay=4 flags=0x00000000 state=mature
        created: Dec 15 07:57:41 2009   current: Dec 15 08:26:04 2009
        diff: 1703(s)   hard: 3600(s)   soft: 2880(s)
        last: Dec 15 08:26:03 2009      hard: 0(s)      soft: 0(s)
        current: 400400(bytes)  hard: 0(bytes)  soft: 0(bytes)
        allocated: 2476 hard: 0 soft: 0
        sadb_seq=1 pid=23175 refcnt=2
remoteip remoteip
        esp mode=tunnel spi=117094840(0x06fab9b8) reqid=0(0x00000000)
        E: des-cbc  x x
        A: hmac-md5  x x x x
        seq=0x00000b73 replay=4 flags=0x00000000 state=mature
        created: Dec 15 07:57:41 2009   current: Dec 15 08:26:04 2009
        diff: 1703(s)   hard: 3600(s)   soft: 2880(s)
        last: Dec 15 08:25:37 2009      hard: 0(s)      soft: 0(s)
        current: 2960978(bytes) hard: 0(bytes)  soft: 0(bytes)
        allocated: 2931 hard: 0 soft: 0
        sadb_seq=0 pid=23175 refcnt=1

//Jon

More information about the freebsd-net mailing list