Date: Fri, 30 Sep 2011 11:25:00 -0400 From: Zaphod Beeblebrox <zbeeble@gmail.com> To: freebsd-hackers@freebsd.org Subject: IPSEC rekey vs. Cisco ASA ... broken. Message-ID: <CACpH0Md0T=rajHTAa1V2cCzGPZENDM68cMwxSJBMb8yktPEQqw@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
So... I've been diagnosing this problem with IPSEC on FreeBSD interoperating against both a Cisco ASA and a set of FreeS/WAN clients. The configuration is that dozens of FreeS/WAN clients connect to the FreeBSD IPSEC gateway --- FreeBSD uses Racoon to authenticate and exchange keys with them. This appears to work fine. The FreeBSD IPSEC stack is then also talking to a remove Cisco ASA with "unique" tunnels for 5 destination hosts. This is working poorly. The issue is: FreeBSD sees the rekey request as failing (so it continues to use the old tunnel) and the ASA "seems" to see it succeeding (it starts using a new tunnel after the rekey). I'm a little bit at wit's end because we've tried to ask the Cisco to not rekey (and just reset everything during a daily downtime), but the cisco seems to insist on rekeying the tunnels. Has anyone encountered anything like this?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACpH0Md0T=rajHTAa1V2cCzGPZENDM68cMwxSJBMb8yktPEQqw>