Date: Mon, 30 Jul 2007 20:52:25 -0400 From: "Isaac Kohen" <ik1024@gmail.com> To: freebsd-net@freebsd.org Subject: IPSEC connection drops and doesn't recover Message-ID: <7feb82f40707301752j2ccb235eof197fed852188bd5@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello, I'm running 6.2-REL. My kernel is compiled with IPSEC, IPSEC_ESP, and IPSEC_DEBUG. I've installed ipsec-tools 0.6.7. I've had an openbsd ipsec/vpn gateway for several years that recently died as a result of hardware failure. I moved my configuration from isakmpd to racoon and can connect successfully to all the linksys vpn "routers" that I could connect to before. Problem is that after a few hours the connection drops and doesn't come back up until I do setkey -F and setkey -FP and restart racoon. My openbsd/isakmpd setup worked very well so I'm guessing it's not those cheap linksys boxes. I thought it was racoon at first, so I installed and ran isakmpd on freebsd using my isakmpd.conf from the openbsd box that I knew worked, but the same problem persisted. Any help would be appreciated. Here's some configuration info: # sysctl -A|egrep 'ipsec|ah|esp|net.key' net.inet.ipsec.stats: Format:S,ipsecstat Length:12448 Dump:0xb2950c00000000000000000000000000... net.inet.ipsec.esp_trans_deflev: 1 net.inet.ipsec.esp_net_deflev: 1 net.inet.ipsec.ah_trans_deflev: 1 net.inet.ipsec.ah_net_deflev: 1 net.inet.ipsec.ah_cleartos: 1 net.inet.ipsec.ah_offsetmask: 0 net.inet.ipsec.dfbit: 0 net.inet.ipsec.ecn: 1 net.inet.ipsec.debug: 1 net.inet.ipsec.esp_randpad: -1 net.key.debug: 1 net.key.spi_trycnt: 1000 net.key.spi_minval: 256 net.key.spi_maxval: 268435455 net.key.larval_lifetime: 30 net.key.blockacq_count: 0 net.key.blockacq_lifetime: 20 net.key.esp_keymin: 256 net.key.esp_auth: 0 net.key.ah_keymin: 128 net.key.preferred_oldsa: 0 net.inet6.ipsec6.stats: Format:S,ipsecstat Length:12448 Dump:0x00000000000000000000000000000000... net.inet6.ipsec6.esp_trans_deflev: 1 net.inet6.ipsec6.esp_net_deflev: 1 net.inet6.ipsec6.ah_trans_deflev: 1 net.inet6.ipsec6.ah_net_deflev: 1 net.inet6.ipsec6.ecn: 0 net.inet6.ipsec6.debug: 1 net.inet6.ipsec6.esp_randpad: -1 /etc/ipsec.conf: spdadd 192.168.1.0/24 192.168.5.0/24 any -P out ipsec esp/tunnel/68.167.79.2-69.119.56.96/require; spdadd 192.168.5.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/69.119.56.96-68.167.79.2/require; /usr/local/etc/racoon/racoon.conf (using psk): padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp 68.167.79.2 [500]; } timer { counter 10; # was 5 maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. phase1 30 sec; phase2 20 sec; } remote 69.119.56.96 { exchange_mode main; #doi ipsec_doi; #situation identity_only; my_identifier address 68.167.79.2; peers_identifier address 69.119.56.96; #verify_identifier on; nonce_size 16; #lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo address 192.168.1.0/24 any address 192.168.5.0/24 any { pfs_group 2; #lifetime time 24 hour; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 192.168.5.0/24 any address 192.168.1.0/24 any { pfs_group 2; #lifetime time 24 hour; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } Jul 30 20:42:02 cj racoon: DEBUG: suitable inbound SP found: 192.168.5.0/24[0] 192.168.1.0/24[0] proto=any dir=in. Jul 30 20:42:02 cj racoon: DEBUG: new acquire 192.168.1.0/24[0] 192.168.5.0/24[0] proto=any dir=out Jul 30 20:42:02 cj racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0) Jul 30 20:42:02 cj racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha) Jul 30 20:42:02 cj racoon: DEBUG: configuration found for 69.119.56.96. Jul 30 20:42:02 cj racoon: DEBUG: === Jul 30 20:42:02 cj racoon: DEBUG: new cookie: 1313a61e4a85f592 Jul 30 20:42:02 cj racoon: DEBUG: add payload of len 48, next type 13 Jul 30 20:42:02 cj racoon: DEBUG: add payload of len 16, next type 0 Jul 30 20:42:02 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to 69.119.56.96[500] Jul 30 20:42:02 cj racoon: DEBUG: sockname 68.167.79.2[500] Jul 30 20:42:02 cj racoon: DEBUG: send packet from 68.167.79.2[500] Jul 30 20:42:02 cj racoon: DEBUG: send packet to 69.119.56.96[500] Jul 30 20:42:09 cj racoon: DEBUG: get pfkey ACQUIRE message Jul 30 20:42:09 cj racoon: DEBUG2: 02060003 2f000000 6a030000 00000000 03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000 10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000 25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 Jul 30 20:42:09 cj racoon: DEBUG: ignore the acquire because ph2 found Jul 30 20:42:14 cj racoon: DEBUG: get pfkey ACQUIRE message Jul 30 20:42:14 cj racoon: DEBUG2: 02060003 2f000000 6a030000 00000000 03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000 10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000 25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 Jul 30 20:42:14 cj racoon: DEBUG: ignore the acquire because ph2 found Jul 30 20:42:18 cj racoon: DEBUG: get pfkey ACQUIRE message Jul 30 20:42:18 cj racoon: DEBUG2: 02060003 2f000000 6a030000 00000000 03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000 10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000 25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 Jul 30 20:42:18 cj racoon: DEBUG: ignore the acquire because ph2 found Jul 30 20:42:22 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to 69.119.56.96[500] Jul 30 20:42:22 cj racoon: DEBUG: sockname 68.167.79.2[500] Jul 30 20:42:22 cj racoon: DEBUG: send packet from 68.167.79.2[500] Jul 30 20:42:22 cj racoon: DEBUG: send packet to 69.119.56.96[500] Jul 30 20:42:22 cj racoon: DEBUG: 1 times of 100 bytes message will be sent to 69.119.56.96[500] Jul 30 20:42:22 cj racoon: DEBUG: 1313a61e 4a85f592 00000000 00000000 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002 00000014 afcad713 68a1f1c9 6b8696fc 77570100 Jul 30 20:42:22 cj racoon: DEBUG: resend phase1 packet 1313a61e4a85f592:0000000000000000 Jul 30 20:42:24 cj racoon: DEBUG: get pfkey ACQUIRE message Jul 30 20:42:24 cj racoon: DEBUG2: 02060003 2f000000 6b030000 00000000 03000500 ff200000 10020000 44a74fe2 00000000 00000000 03000600 ff200000 10020000 45773860 00000000 00000000 02001200 02000200 88400000 00000000 25000d00 20000000 00070000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000b0000 00000000 00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 00fa0000 00000000 00012001 00000000 01000000 01000000 00000000 00000000 00000000 00000000 000e0100 00000000 80510100 00000000 005a0000 00000000 80700000 00000000 Jul 30 20:42:24 cj racoon: DEBUG: ignore the acquire because ph2 found
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7feb82f40707301752j2ccb235eof197fed852188bd5>