[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  1.2b1 IPsec SA issues
 Date:  Mon, 27 Sep 2004 02:24:39 -0400
As I posted to the list earlier, I'm having IPsec SA issues with
1.2b1.

My post to the list:
> I seem to be having issues with IPsec SA's that cause one of my
> VPN's to go down on 1.2b1.  The remote VPN endpoint is a Cisco PIX firewall.
> I ran into this same problem on 1.0 and 1.1, but only a couple
> times in about 5 months.  It's happened 3 times in the last 9 hours.

The duplicate SA issue is happening to me almost exactly every 2 hours
today (give or take a few minutes).  Always src IP PIX, dst IP
m0n0wall public IP, single SA in the other direction.  Deleting all
the SA's for that connection makes it come back within a couple
seconds.

It went down at 21:50, was back up at 22:00.  Down again and back up
at 00:02.  Did it again at about 02:06, though I don't have the log
for that period below.  Go by the
syslog server's timestamps, not the ones from m0n0 as its clock is
off.  Log file at http://chrisbuechler.com/m0n0wall/duplicate-sa.txt 
(mailing list wouldn't accept msg with the log, as the message was
more than 30K with it)

12.202.x.x is the m0n0wall box in question, 216.135.x.x is a FreeBSD
w/racoon setup (not m0n0, but similar) and it's rock solid.
64.112.x.x is the PIX firewall that is the other endpoint of the
problematic VPN.

Relevant portion of config.xml:

      <tunnel>
          <interface>wan</interface>
          <local-subnet>
              <network>lan</network>
          </local-subnet>
          <remote-subnet>192.168.x.x/24</remote-subnet>
          <remote-gateway>64.112.x.x</remote-gateway>
          <p1>
              <mode>aggressive</mode>
              <myident>
                  <address>12.202.x.x</address>
              </myident>
              <encryption-algorithm>3des</encryption-algorithm>
              <hash-algorithm>md5</hash-algorithm>
              <dhgroup>2</dhgroup>
              <lifetime>86400</lifetime>
              <pre-shared-key>xxxxx</pre-shared-key>
          </p1>
          <p2>
              <protocol>esp</protocol>
              <encryption-algorithm-option>3des</encryption-algorithm-option>
              <hash-algorithm-option>hmac_md5</hash-algorithm-option>
              <pfsgroup>2</pfsgroup>
              <lifetime>86400</lifetime>
          </p2>
          <descr>PIX</descr>
      </tunnel>

If I can provide any more info, please let me know.

Regards,
-Chris