From owner-freebsd-questions  Fri Sep  6 13:27:25 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3173037B405
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 13:27:18 -0700 (PDT)
Received: from fep7.cogeco.net (smtp.cogeco.net [216.221.81.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5FB7F43E6A
	for <questions@FreeBSD.ORG>; Fri,  6 Sep 2002 13:27:17 -0700 (PDT)
	(envelope-from dlavigne6@cogeco.ca)
Received: from d226-39-211.home.cgocable.net (d226-39-211.home.cgocable.net [24.226.39.211])
	by fep7.cogeco.net (Postfix) with ESMTP
	id C76D36B96; Fri,  6 Sep 2002 16:27:13 -0400 (EDT)
Date: Fri, 6 Sep 2002 16:33:54 -0400 (EDT)
From: Dru <dlavigne6@cogeco.ca>
X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca
To: Tillman Hodgson <tillman@seekingfire.com>
Cc: Mike Tancsa <mike@sentex.net>, <questions@FreeBSD.ORG>
Subject: Re: IPSEC & routing w/o gif
In-Reply-To: <20020906132649.A15029@seekingfire.com>
Message-ID: <20020906163002.B164-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG



On Fri, 6 Sep 2002, Tillman Hodgson wrote:

> On Thu, Sep 05, 2002 at 11:28:57PM -0600, Tillman Hodgson wrote:
> > On Fri, Sep 06, 2002 at 01:04:51AM -0400, Mike Tancsa wrote:
> > > Have a look at the racoon.conf options, there might be a setting there I
> > > think.  But you might want to post the question and your config to the KAME
> > > list.  But I do remember reading about this on the LINUX FreeSwan page, so
> > > it might be some LINUX issue.  When the tunnel goes stale like that, what
> > > does setkey -D show ?
> >
> > It looks like this:
> >
> > [root@coyote root]# setkey -D
> > 24.72.10.212 24.72.31.206
> >         esp mode=tunnel spi=1426857889(0x550c1fa1) reqid=0(0x00000000)
> >         E: 3des-cbc  4f4e94e4 4732f5e3 ba9e7caa 67077d31 b2789394 83558afd
> >         A: hmac-md5  7bec6d6e 85cca86b 2aaae570 7e5e2db2
> >         seq=0x00000002 replay=4 flags=0x00000000 state=mature
> >         created: Sep  5 23:11:44 2002   current: Sep  5 23:22:06 2002
> >         diff: 622(s)    hard: 1800(s)   soft: 1440(s)
> >         last: Sep  5 23:22:02 2002      hard: 0(s)      soft: 0(s)
> >         current: 272(bytes)     hard: 0(bytes)  soft: 0(bytes)
> >         allocated: 2    hard: 0 soft: 0
> >         sadb_seq=1 pid=75928 refcnt=2
> > 24.72.31.206 24.72.10.212
> >         esp mode=tunnel spi=240298505(0x0e52aa09) reqid=0(0x00000000)
> >         E: 3des-cbc  70535711 3c3cf319 9f950f62 f3722dd6 58041014 8127e8bf
> >         A: hmac-md5  61caa1b4 4322665c fa29b556 78deaf4d
> >         seq=0x00000000 replay=4 flags=0x00000000 state=mature
> >         created: Sep  5 23:11:44 2002   current: Sep  5 23:22:06 2002
> >         diff: 622(s)    hard: 1800(s)   soft: 1440(s)
> >         last:                           hard: 0(s)      soft: 0(s)
> >         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
> >         allocated: 0    hard: 0 soft: 0
> >         sadb_seq=0 pid=75928 refcnt=1
> >
> > Oddly, when it's working, I seem to recall that there's *four* entries.
> > I'll have to check that in the morning when I can poke the fellow
> > running the other end to initiate some traffic :-)
>
> And now I've got those four entries to show:
>
> [root@coyote racoon]# setkey -D
> 24.72.10.212 24.72.31.206
>         esp mode=tunnel spi=1397418402(0x534ae9a2) reqid=0(0x00000000)
>         E: 3des-cbc  65a00b32 cd42f461 11de1d80 1f6d9d50 e4cd3cc7 560ac18d
>         A: hmac-md5  dfebdc30 e8b3bea8 b2ff9c51 8c20b32d
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Sep  6 13:20:26 2002   current: Sep  6 13:23:37 2002
>         diff: 191(s)    hard: 1800(s)   soft: 1440(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=3 pid=81547 refcnt=1
> 24.72.10.212 24.72.31.206
>         esp mode=tunnel spi=1397418403(0x534ae9a3) reqid=0(0x00000000)
>         E: 3des-cbc  76f68dcd c222d443 a64fbf64 ca3544cb 012547ca cc4971c2
>         A: hmac-sha1  a5fc8187 fd1ae40c 01005514 a2f9a8c4 135703af
>         seq=0x00000049 replay=4 flags=0x00000000 state=mature
>         created: Sep  6 13:20:25 2002   current: Sep  6 13:23:37 2002
>         diff: 192(s)    hard: 360000(s) soft: 288000(s)
>         last: Sep  6 13:21:39 2002      hard: 0(s)      soft: 0(s)
>         current: 9928(bytes)    hard: 0(bytes)  soft: 0(bytes)
>         allocated: 73   hard: 0 soft: 0
>         sadb_seq=2 pid=81547 refcnt=2
> 24.72.31.206 24.72.10.212
>         esp mode=tunnel spi=252304984(0x0f09de58) reqid=0(0x00000000)
>         E: 3des-cbc  61864f7a 10defe4e 7f1820db f96a4f89 d7351f32 1ee67998
>         A: hmac-md5  21b12231 e4651742 ed236562 14f75830
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Sep  6 13:20:26 2002   current: Sep  6 13:23:37 2002
>         diff: 191(s)    hard: 1800(s)   soft: 1440(s)
>         last:                           hard: 0(s)      soft: 0(s)
>         current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
>         allocated: 0    hard: 0 soft: 0
>         sadb_seq=1 pid=81547 refcnt=1
> 24.72.31.206 24.72.10.212
>         esp mode=tunnel spi=130393606(0x07c5a606) reqid=0(0x00000000)
>         E: 3des-cbc  298ebc7a 58f18325 e8f4fa3c b6cb5512 94cb8dca 436b7ee4
>         A: hmac-sha1  0740f3b6 8296606d 6f9ae9df 56239db5 c5f392fb
>         seq=0x0000000b replay=4 flags=0x00000000 state=mature
>         created: Sep  6 13:20:25 2002   current: Sep  6 13:23:37 2002
>         diff: 192(s)    hard: 360000(s) soft: 288000(s)
>         last: Sep  6 13:21:39 2002      hard: 0(s)      soft: 0(s)
>         current: 924(bytes)     hard: 0(bytes)  soft: 0(bytes)
>         allocated: 11   hard: 0 soft: 0
>         sadb_seq=0 pid=81547 refcnt=1
>
>
> Right around the time that my conenction goes stale, I get this:
>
> 2002-09-06 13:05:42: INFO: isakmp.c:1513:isakmp_ph1expire(): ISAKMP-SA expired 24.72.10.212[500]-24.72.31.206[500] spi:cd30d5a5da6a70d0:e8f9170a412ffe57
> 2002-09-06 13:05:43: INFO: isakmp.c:1561:isakmp_ph1delete(): ISAKMP-SA deleted 24.72.10.212[500]-24.72.31.206[500] spi:cd30d5a5da6a70d0:e8f9170a412ffe57
> 2002-09-06 13:05:43: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received.
> 2002-09-06 13:06:33: INFO: isakmp.c:1597:isakmp_ph2expire(): phase2 sa expired 24.72.10.212-24.72.31.206
> 2002-09-06 13:06:34: ERROR: isakmp.c:463:isakmp_main(): unknown Informational exchange received.
> 2002-09-06 13:06:34: INFO: isakmp.c:1628:isakmp_ph2delete(): phase2 sa deleted 24.72.10.212-24.72.31.206

Hi Tillman,

It is odd that there are 4 entries; you should only have 4 when using both
ESP and AH as there should be one per direction per protocol (ESP or AH).
How many SAs are on the FreeSwan box?

Are you absoutely sure both lifetimes are the same on both boxes? I've
been known to forget before that vendors sometimes think in seconds, minutes,
or hours with very little consistency :)

HTH,

Dru


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message