From owner-freebsd-net@FreeBSD.ORG Fri Dec 11 16:33:47 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 82E911065694 for ; Fri, 11 Dec 2009 16:33:47 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay2-bcrtfl2.verio.net (relay2-bcrtfl2.verio.net [131.103.218.177]) by mx1.freebsd.org (Postfix) with ESMTP id 388998FC22 for ; Fri, 11 Dec 2009 16:33:47 +0000 (UTC) Received: from iad-wprd-xchw01.corp.verio.net (iad-wprd-xchw01.corp.verio.net [198.87.7.164]) by relay2-bcrtfl2.verio.net (Postfix) with ESMTP id 7B2001FF096E for ; Fri, 11 Dec 2009 11:33:46 -0500 (EST) Thread-Index: Acp6f7XJLdE17ezTQr6BgAMbAspH7w== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.7]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 11 Dec 2009 11:33:45 -0500 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Fri, 11 Dec 2009 10:33:43 +0000 Date: Fri, 11 Dec 2009 10:33:43 -0600 From: "David DeSimone" To: Message-ID: <20091211163343.GE2296@verio.net> Content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4325 Importance: normal Priority: normal Mail-Followup-To: freebsd-net@freebsd.org References: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 11 Dec 2009 16:33:45.0216 (UTC) FILETIME=[B5273000:01CA7A7F] Subject: Re: Racoon site-to site X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2009 16:33:47 -0000 Jon Otterholm wrote: > > If I restart racoon or wait approximately 30 min the connection is > re-established. Since this is approximately =C2=BDof the phase 2 lifetime, you are = probably running into lifetime negotiation issues, or PFS issues. > What would be the obvious way to debug this? Any suggestions on what > to tweak appreciated.=20 I would turn up the debugging on racoon to get more information around the time that the tunnel fails. > sainfo (address 192.168.1.0/24 any address 192.168.100.0/24 any) > { > pfs_group 1; > lifetime time 3600 sec; > encryption_algorithm des; > authentication_algorithm hmac_md5,hmac_sha1; > compression_algorithm deflate; > } My hunch is that you have a PFS mismatch, so that the first tunnel negotiates, but the second SA negotiation fails, then the third succeeds, etc. --=20 David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has = been sent, and may contain information that is confidential or legally = protected. If you are not the intended recipient or have received this = message in error, you are not authorized to copy, distribute, or = otherwise use this message or its attachments. Please notify the sender = immediately by return e-mail and permanently delete this message and any = attachments. Verio, Inc. makes no warranty that this email is error or = virus free. Thank you.