From owner-freebsd-hackers@FreeBSD.ORG Fri Sep 30 15:48:36 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C2A2D1065675 for ; Fri, 30 Sep 2011 15:48:36 +0000 (UTC) (envelope-from zbeeble@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 889418FC1F for ; Fri, 30 Sep 2011 15:48:36 +0000 (UTC) Received: by yxk36 with SMTP id 36so2155600yxk.13 for ; Fri, 30 Sep 2011 08:48:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=OUbbvwLNMGu8pS17RAXCdzPjn2mcYy3Yh/Ym5PWW/Do=; b=k+6nbI2CSjxgdsSJWpxjxnj9/15M8JuyHrLiahPoRM++s4UEOYM/V2cbXIKfItA5JK uH5Eyh3lCss0qqQgcdBcar8mamArxxQK/ko9o73lPADiMo8cLVaJOUljs1nOMcjC2y8X NhVWQe0FgMyDE3IyZ6IW3qmYJXHhbCHr4JaDw= MIME-Version: 1.0 Received: by 10.204.131.219 with SMTP id y27mr7774554bks.115.1317396301180; Fri, 30 Sep 2011 08:25:01 -0700 (PDT) Received: by 10.204.36.134 with HTTP; Fri, 30 Sep 2011 08:25:00 -0700 (PDT) Date: Fri, 30 Sep 2011 11:25:00 -0400 Message-ID: From: Zaphod Beeblebrox To: freebsd-hackers@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: IPSEC rekey vs. Cisco ASA ... broken. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 15:48:36 -0000 So... I've been diagnosing this problem with IPSEC on FreeBSD interoperating against both a Cisco ASA and a set of FreeS/WAN clients. The configuration is that dozens of FreeS/WAN clients connect to the FreeBSD IPSEC gateway --- FreeBSD uses Racoon to authenticate and exchange keys with them. This appears to work fine. The FreeBSD IPSEC stack is then also talking to a remove Cisco ASA with "unique" tunnels for 5 destination hosts. This is working poorly. The issue is: FreeBSD sees the rekey request as failing (so it continues to use the old tunnel) and the ASA "seems" to see it succeeding (it starts using a new tunnel after the rekey). I'm a little bit at wit's end because we've tried to ask the Cisco to not rekey (and just reset everything during a daily downtime), but the cisco seems to insist on rekeying the tunnels. Has anyone encountered anything like this?