Date: Fri, 11 Dec 2009 20:16:46 +0100 From: "Jon Otterholm" <jon.otterholm@ide.resurscentrum.se> To: "David DeSimone" <fox@verio.net> Cc: freebsd-net@freebsd.org Subject: Re: Racoon site-to site Message-ID: <1267A499-7F66-4138-A12A-94FC37FA616E@ide.resurscentrum.se> In-Reply-To: <20091211163343.GE2296@verio.net> References: <C747E9B6.31D29%jon.otterholm@ide.resurscentrum.se> <20091211163343.GE2296@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
11 dec 2009 kl. 17.34 skrev "David DeSimone" <fox@verio.net>:
> Jon Otterholm <jon.otterholm@ide.resurscentrum.se> wrote:
>>
>> If I restart racoon or wait approximately 30 min the connection is
>> re-established.
>
> Since this is approximately ½of the phase 2 lifetime, you are proba
> bly
> running into lifetime negotiation issues, or PFS issues.
>
>> What would be the obvious way to debug this? Any suggestions on what
>> to tweak appreciated.
>
> I would turn up the debugging on racoon to get more information around
> the time that the tunnel fails.
>
>> sainfo (address 192.168.1.0/24 any address 192.168.100.0/24 any)
>> {
>> pfs_group 1;
>> lifetime time 3600 sec;
>> encryption_algorithm des;
>> authentication_algorithm hmac_md5,hmac_sha1;
>> compression_algorithm deflate;
>> }
>
> My hunch is that you have a PFS mismatch, so that the first tunnel
> negotiates, but the second SA negotiation fails, then the third
> succeeds, etc.
>
>
But wood it not fail more offen then? I have set up a cronjob to ping
a server on the private Networks from the bad-side every 2 minutes and
somethimes it works for days without a single failure.
What debuglevel would be suitable?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1267A499-7F66-4138-A12A-94FC37FA616E>