From owner-freebsd-net@FreeBSD.ORG Thu Dec 17 16:34:08 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03945106568D for ; Thu, 17 Dec 2009 16:34:08 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.freebsd.org (Postfix) with ESMTP id B92B78FC16 for ; Thu, 17 Dec 2009 16:34:07 +0000 (UTC) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.14.3/8.14.3) with ESMTP id nBHGY69O019300; Thu, 17 Dec 2009 11:34:06 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200912171634.nBHGY69O019300@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 17 Dec 2009 11:01:00 -0500 To: Jon Otterholm , From: Mike Tancsa In-Reply-To: References: <200912111923.nBBJNLk3072715@lava.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: Racoon site-to site X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Dec 2009 16:34:08 -0000 At 02:50 AM 12/15/2009, Jon Otterholm wrote: >On 2009-12-11 20.23, "Mike Tancsa" wrote: > > > > > > You might also want to turn on DPD (dead peer > > detection) in ipsectools if you dont already have > > it on both sides. Are you really using des for > > the crypto ? Also, when the session is > > negotiated, take a look at the output of > > setkey -D > > and see what was actually negotiated and post it > > here (just make sure you get rid of the info on the E and A lines. > > > > e.g. > > 1.1.1.2 2.2.2.2 > > esp mode=tunnel spi=125444787(0x077a22b3) reqid=16416(0x00004020) > > E: 3des-cbc 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b 770cdd7b > > A: hmac-sha1 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb 5cfdbabb > > > > ie. mask out the 5cfdbabb and 770cdd7b values > > before posting as thats your crypto :) > > > > > >Here is output from setkey -D when we lost connection: > >localip remoteip > esp mode=tunnel spi=989823717(0x3aff82e5) reqid=0(0x00000000) > E: des-cbc x x > A: hmac-md5 x x x x > seq=0x000009ac replay=4 flags=0x00000000 state=mature > created: Dec 15 07:57:41 2009 current: Dec 15 08:26:04 2009 > diff: 1703(s) hard: 3600(s) soft: 2880(s) > last: Dec 15 08:26:03 2009 hard: 0(s) soft: 0(s) > current: 400400(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 2476 hard: 0 soft: 0 > sadb_seq=1 pid=23175 refcnt=2 >remoteip remoteip > esp mode=tunnel spi=117094840(0x06fab9b8) reqid=0(0x00000000) > E: des-cbc x x > A: hmac-md5 x x x x > seq=0x00000b73 replay=4 flags=0x00000000 state=mature > created: Dec 15 07:57:41 2009 current: Dec 15 08:26:04 2009 > diff: 1703(s) hard: 3600(s) soft: 2880(s) > last: Dec 15 08:25:37 2009 hard: 0(s) soft: 0(s) > current: 2960978(bytes) hard: 0(bytes) soft: 0(bytes) > allocated: 2931 hard: 0 soft: 0 > sadb_seq=0 pid=23175 refcnt=1 The state looks good (mature). It would be useful to see what the other side thinks is going on. 3 different things to try when its down. racoonctl vpn-disconnect remoteip ... where remoteip is the public IP of the endpoint and then generate some traffic and see if things are re-established. setkey -F to flush the associations on this side... and again, generate some traffic. Another thing to try is sysctl -w net.key.preferred_oldsa=0 setkey -F restart racoon and then see if the hangs still happen. But you should try and get some debugging info from the other side to see what state things are in when the tunnel fails. In general, I have found setting net.key.preferred_oldsa=0 important when inter-operating with other platforms. Also, check and make sure you have dpd compiled into ipsectools and make sure enabled. ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike