From owner-freebsd-questions  Fri Sep  6 12:26:44 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1D7E337B400
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 12:26:37 -0700 (PDT)
Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 3150343E4A
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 12:26:37 -0700 (PDT)
	(envelope-from tillman@seekingfire.com)
Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211])
	by mail.seekingfire.com (Postfix) with ESMTP
	id 640D05C; Fri,  6 Sep 2002 13:26:36 -0600 (CST)
Received: (from tillman@localhost)
	by blues.seekingfire.prv (8.11.6/8.11.6) id g86JQov15036;
	Fri, 6 Sep 2002 13:26:50 -0600
Date: Fri, 6 Sep 2002 13:26:50 -0600
From: Tillman Hodgson <tillman@seekingfire.com>
To: Mike Tancsa <mike@sentex.net>
Cc: questions@FreeBSD.ORG
Subject: Re: IPSEC & routing w/o gif
Message-ID: <20020906132649.A15029@seekingfire.com>
References: <vq9gnu0qk29fjk0un4tne8vku57f33vmh2@4ax.com> <mailman.1031178127.4718.fquestions-l@lists.sentex.ca> <vq9gnu0qk29fjk0un4tne8vku57f33vmh2@4ax.com> <20020905225049.A13151@seekingfire.com> <5.1.0.14.0.20020906010034.03d89220@192.168.0.12> <20020905232857.C13151@seekingfire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020905232857.C13151@seekingfire.com>; from tillman@seekingfire.com on Thu, Sep 05, 2002 at 11:28:57PM -0600
X-Urban-Legend: There is lots of hidden information in headers
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Thu, Sep 05, 2002 at 11:28:57PM -0600, Tillman Hodgson wrote:
> On Fri, Sep 06, 2002 at 01:04:51AM -0400, Mike Tancsa wrote:
> > Have a look at the racoon.conf options, there might be a setting there I 
> > think.  But you might want to post the question and your config to the KAME 
> > list.  But I do remember reading about this on the LINUX FreeSwan page, so 
> > it might be some LINUX issue.  When the tunnel goes stale like that, what 
> > does setkey -D show ?
> 
> It looks like this:
> 
> [root@coyote root]# setkey -D
> 24.72.10.212 24.72.31.206
>         esp mode=tunnel spi=1426857889(0x550c1fa1) reqid=0(0x00000000)
>         E: 3des-cbc  4f4e94e4 4732f5e3 ba9e7caa 67077d31 b2789394 83558afd
>         A: hmac-md5  7bec6d6e 85cca86b 2aaae570 7e5e2db2
>         seq=0x00000002 replay=4 flags=0x00000000 state=mature
>         created: Sep  5 23:11:44 2002   current: Sep  5 23:22:06 2002
>         diff: 622(s)    hard: 1800(s)   soft: 1440(s)
>         last: Sep  5 23:22:02 2002      hard: 0(s)      soft: 0(s)
>         current: 272(bytes)     hard: 0(bytes)  soft: 0(bytes)
>         allocated: 2    hard: 0 soft: 0
>         sadb_seq=1 pid=75928 refcnt=2
> 24.72.31.206 24.72.10.212
>         esp mode=tunnel spi=240298505(0x0e52aa09) reqid=0(0x00000000)
>         E: 3des-cbc  70535711 3c3cf319 9f950f62 f3722dd6 58041014 8127e8bf
>         A: hmac-md5  61caa1b4 4322665c fa29b556 78deaf4d
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Sep  5 23:11:44 2002   current: Sep  5 23:22:06 2002
>         diff: 622(s)    hard: 1800(s)   soft: 1440(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=0 pid=75928 refcnt=1
> 
> Oddly, when it's working, I seem to recall that there's *four* entries.
> I'll have to check that in the morning when I can poke the fellow
> running the other end to initiate some traffic :-)

And now I've got those four entries to show:

[root@coyote racoon]# setkey -D
24.72.10.212 24.72.31.206
        esp mode=tunnel spi=1397418402(0x534ae9a2) reqid=0(0x00000000)
        E: 3des-cbc  65a00b32 cd42f461 11de1d80 1f6d9d50 e4cd3cc7 560ac18d
        A: hmac-md5  dfebdc30 e8b3bea8 b2ff9c51 8c20b32d
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep  6 13:20:26 2002   current: Sep  6 13:23:37 2002
        diff: 191(s)    hard: 1800(s)   soft: 1440(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=81547 refcnt=1
24.72.10.212 24.72.31.206
        esp mode=tunnel spi=1397418403(0x534ae9a3) reqid=0(0x00000000)
        E: 3des-cbc  76f68dcd c222d443 a64fbf64 ca3544cb 012547ca cc4971c2
        A: hmac-sha1  a5fc8187 fd1ae40c 01005514 a2f9a8c4 135703af
        seq=0x00000049 replay=4 flags=0x00000000 state=mature
        created: Sep  6 13:20:25 2002   current: Sep  6 13:23:37 2002
        diff: 192(s)    hard: 360000(s) soft: 288000(s)
        last: Sep  6 13:21:39 2002      hard: 0(s)      soft: 0(s)
        current: 9928(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 73   hard: 0 soft: 0
        sadb_seq=2 pid=81547 refcnt=2
24.72.31.206 24.72.10.212
        esp mode=tunnel spi=252304984(0x0f09de58) reqid=0(0x00000000)
        E: 3des-cbc  61864f7a 10defe4e 7f1820db f96a4f89 d7351f32 1ee67998
        A: hmac-md5  21b12231 e4651742 ed236562 14f75830
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Sep  6 13:20:26 2002   current: Sep  6 13:23:37 2002
        diff: 191(s)    hard: 1800(s)   soft: 1440(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=81547 refcnt=1
24.72.31.206 24.72.10.212
        esp mode=tunnel spi=130393606(0x07c5a606) reqid=0(0x00000000)
        E: 3des-cbc  298ebc7a 58f18325 e8f4fa3c b6cb5512 94cb8dca 436b7ee4
        A: hmac-sha1  0740f3b6 8296606d 6f9ae9df 56239db5 c5f392fb
        seq=0x0000000b replay=4 flags=0x00000000 state=mature
        created: Sep  6 13:20:25 2002   current: Sep  6 13:23:37 2002
        diff: 192(s)    hard: 360000(s) soft: 288000(s)
        last: Sep  6 13:21:39 2002      hard: 0(s)      soft: 0(s)
        current: 924(bytes)     hard: 0(bytes)  soft: 0(bytes)
        allocated: 11   hard: 0 soft: 0
        sadb_seq=0 pid=81547 refcnt=1


Right around the time that my conenction goes stale, I get this:

2002-09-06 13:05:42: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired 24.72.10.212[500]-24.72.31.206[500] spi:cd30d5a5da6a70d0:e8f9170a412ffe57
2002-09-06 13:05:43: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted 24.72.10.212[500]-24.72.31.206[500] spi:cd30d5a5da6a70d0:e8f9170a412ffe57
2002-09-06 13:05:43: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received.
2002-09-06 13:06:33: INFO: isakmp.c:1597:isakmp_ph2expire(): phase2 sa expired 24.72.10.212-24.72.31.206
2002-09-06 13:06:34: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received.
2002-09-06 13:06:34: INFO: isakmp.c:1628:isakmp_ph2delete(): phase2 sa deleted 24.72.10.212-24.72.31.206


Thanks muchly for your help,

- Tillman

-- 
Learning isn't a means to an end; it is an end in itself.
	Robert Heinlein

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message