From owner-freebsd-net@FreeBSD.ORG Tue Jul 31 10:53:36 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 55C9C16A417 for ; Tue, 31 Jul 2007 10:53:36 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25]) by mx1.freebsd.org (Postfix) with ESMTP id D1DEF13C428 for ; Tue, 31 Jul 2007 10:53:35 +0000 (UTC) (envelope-from vanhu@zeninc.net) Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7]) by smtp.zeninc.net (smtpd) with ESMTP id 5B7763F38 for ; Tue, 31 Jul 2007 12:53:32 +0200 (CEST) Received: by jayce.zen.inc (Postfix, from userid 1000) id A588B2E4AE; Tue, 31 Jul 2007 12:53:32 +0200 (CEST) Date: Tue, 31 Jul 2007 12:53:32 +0200 From: VANHULLEBUS Yvan To: freebsd-net@freebsd.org Message-ID: <20070731105332.GA1285@jayce.zen.inc> References: <7feb82f40707301752j2ccb235eof197fed852188bd5@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <7feb82f40707301752j2ccb235eof197fed852188bd5@mail.gmail.com> User-Agent: All mail clients suck. This one just sucks less. Subject: Re: IPSEC connection drops and doesn't recover X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Jul 2007 10:53:36 -0000 On Mon, Jul 30, 2007 at 08:52:25PM -0400, Isaac Kohen wrote: > Hello, Hi. > I'm running 6.2-REL. My kernel is compiled with IPSEC, IPSEC_ESP, and > IPSEC_DEBUG. I've installed ipsec-tools 0.6.7. [.....] > net.key.preferred_oldsa: 0 As Bjoern already said, you may resolve your problems by setting net.key.preferred_oldsa=1, but I don't think that's your actual problem (and setting it to 1 is usually a bad idea, except when you have a peer that really requires it, usually an old and/or cheap device). [....] > remote 69.119.56.96 { > exchange_mode main; > #doi ipsec_doi; > #situation identity_only; > my_identifier address 68.167.79.2; > peers_identifier address 69.119.56.96; > #verify_identifier on; > nonce_size 16; > #lifetime time 24 hour; Is lifetime really commented out in your config ??? [.....] > Jul 30 20:42:09 cj racoon: DEBUG: get pfkey ACQUIRE message Ok, you get acquires from your kernel. [....] > Jul 30 20:42:14 cj racoon: DEBUG: ignore the acquire because ph2 found That's because you got *lots* of acquires for the same peer. > Jul 30 20:42:22 cj racoon: DEBUG: 100 bytes from 68.167.79.2[500] to > 69.119.56.96[500] > Jul 30 20:42:22 cj racoon: DEBUG: sockname 68.167.79.2[500] > Jul 30 20:42:22 cj racoon: DEBUG: send packet from 68.167.79.2[500] > Jul 30 20:42:22 cj racoon: DEBUG: send packet to 69.119.56.96[500] > Jul 30 20:42:22 cj racoon: DEBUG: 1 times of 100 bytes message will be sent > to 69.119.56.96[500] > Jul 30 20:42:22 cj racoon: DEBUG: 1313a61e 4a85f592 00000000 00000000 > 01100200 00000000 00000064 0d000034 00000001 00000001 00000028 01010001 > 00000020 01010000 800b0001 800c7080 80010005 80030001 80020002 80040002 > 00000014 afcad713 68a1f1c9 6b8696fc 77570100 > Jul 30 20:42:22 cj racoon: DEBUG: resend phase1 packet > 1313a61e4a85f592:0000000000000000 Racoon tries to establish a new phase1.... Wild guess: You peer negociates the first time, and it works. As you don't have lifetime specified, racoon just gets peer's lifetime. When you phase1 expires, FreeBSD will be the first who wants to negociate new SAs. When it will need to negociate an IsakmpSA, negociation will fail, probably because the peers wants a lifetime in it's proposal. Have a look at your whole debug, find the debugs when the first negociation is done, and see what could make the negociation working in one way but not in the other way. If you don't find a problem, please send your whole debug (warning, may be quite big, and will include sensitive informations if you logs DEBUG2) to ipsec-tools-users@lists.sourceforge.net, as your problem seems to really be a racoon's config problem. Yvan. -- NETASQ http://www.netasq.com