Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Dec 2009 10:33:43 -0600
From:      "David DeSimone" <fox@verio.net>
To:        <freebsd-net@freebsd.org>
Subject:   Re: Racoon site-to site
Message-ID:  <20091211163343.GE2296@verio.net>
In-Reply-To: <C747E9B6.31D29%jon.otterholm@ide.resurscentrum.se>
References:  <C747E9B6.31D29%jon.otterholm@ide.resurscentrum.se>
next in thread | previous in thread | raw e-mail | index | archive | help 
Jon Otterholm <jon.otterholm@ide.resurscentrum.se> wrote:
>
> If I restart racoon or wait approximately 30 min the connection is
> re-established.

Since this is approximately =C2=BDof the phase 2 lifetime, you are =
probably
running into lifetime negotiation issues, or PFS issues.

> What would be the obvious way to debug this?  Any suggestions on what
> to tweak appreciated.=20

I would turn up the debugging on racoon to get more information around
the time that the tunnel fails.

> sainfo  (address 192.168.1.0/24 any address 192.168.100.0/24 any)
> {
>     pfs_group       1;
>     lifetime        time    3600 sec;
>     encryption_algorithm    des;
>     authentication_algorithm        hmac_md5,hmac_sha1;
>     compression_algorithm   deflate;
> }

My hunch is that you have a PFS mismatch, so that the first tunnel
negotiates, but the second SA negotiation fails, then the third
succeeds, etc.

--=20
David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has =
been sent, and may contain information that is confidential or legally =
protected. If you are not the intended recipient or have received this =
message in error, you are not authorized to copy, distribute, or =
otherwise use this message or its attachments. Please notify the sender =
immediately by return e-mail and permanently delete this message and any =
attachments. Verio, Inc. makes no warranty that this email is error or =
virus free.  Thank you.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091211163343.GE2296>