From owner-freebsd-net@FreeBSD.ORG Fri Dec 11 11:21:13 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E4A83106566C for ; Fri, 11 Dec 2009 11:21:13 +0000 (UTC) (envelope-from jon.otterholm@ide.resurscentrum.se) Received: from mail1.cil.se (mail1.cil.se [217.197.56.125]) by mx1.freebsd.org (Postfix) with ESMTP id 78B748FC14 for ; Fri, 11 Dec 2009 11:21:13 +0000 (UTC) Received: from 192.168.2.38 ([192.168.2.38]) by edusrv05.edu.irc.local ([192.168.44.14]) with Microsoft Exchange Server HTTP-DAV ; Fri, 11 Dec 2009 11:21:32 +0000 User-Agent: Microsoft-Entourage/12.23.0.091001 Date: Fri, 11 Dec 2009 12:21:10 +0100 From: Jon Otterholm To: Message-ID: Thread-Topic: Racoon site-to site Thread-Index: Acp6VAosd8MrJzpb90CE5ZghzwdWhQ== Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Racoon site-to site X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 11:21:14 -0000 I have a site-to-site vpn between these two: 1. FreeBSD 7.2-RELEASE-p4, racoon, ipsec-tools-0.7.3 2. Symantec VPN 100, (also known as "Nexland Pro 800") I have intermittent connection problems between these two and I can't seem to identify what the problem is. I realize the complexity and challenge in getting two different ipsec-boxes talking to each other but I thought I would have a go before I replace the Symantec-box. If I restart racoon or wait approximately 30 min the connection is re-established. What would be the obvious way to debug this? Any suggestions on what to tweak appreciated. //Jon Info: Keying: IKE PSK Phase1: encryption: DES Authentication: MD5 SA Lifetime: 28800 seconds Phase2: Encryption: DES Authentication: MD5 SA Lifetime: 3600 seconds racoon.conf: path pre_shared_key "/usr/local/etc/racoon/psk.txt"; log info; padding # options are not to be changed { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer { counter 5; interval 10 sec; persend 1; phase1 30 sec; phase2 15 sec; } listen { isakmp local.ip.address [500]; } remote re.mote.ip.address [500] { exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier address local.ip.address; peers_identifier address re.mote.ip.address; initial_contact on; lifetime time 8 hour; passive off; proposal_check obey; generate_policy off; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 30 sec; dh_group 1; } } sainfo (address 192.168.1.0/24 any address 192.168.100.0/24 any) { pfs_group 1; lifetime time 3600 sec; encryption_algorithm des; authentication_algorithm hmac_md5,hmac_sha1; compression_algorithm deflate; }