As I posted to the list earlier, I'm having IPsec SA issues with
1.2b1.
My post to the list:
> I seem to be having issues with IPsec SA's that cause one of my
> VPN's to go down on 1.2b1. The remote VPN endpoint is a Cisco PIX firewall.
> I ran into this same problem on 1.0 and 1.1, but only a couple
> times in about 5 months. It's happened 3 times in the last 9 hours.
The duplicate SA issue is happening to me almost exactly every 2 hours
today (give or take a few minutes). Always src IP PIX, dst IP
m0n0wall public IP, single SA in the other direction. Deleting all
the SA's for that connection makes it come back within a couple
seconds.
It went down at 21:50, was back up at 22:00. Down again and back up
at 00:02. Did it again at about 02:06, though I don't have the log
for that period below. Go by the
syslog server's timestamps, not the ones from m0n0 as its clock is
off. Log file at http://chrisbuechler.com/m0n0wall/duplicate-sa.txt
(mailing list wouldn't accept msg with the log, as the message was
more than 30K with it)
12.202.x.x is the m0n0wall box in question, 216.135.x.x is a FreeBSD
w/racoon setup (not m0n0, but similar) and it's rock solid.
64.112.x.x is the PIX firewall that is the other endpoint of the
problematic VPN.
Relevant portion of config.xml:
<tunnel>
<interface>wan</interface>
<local-subnet>
<network>lan</network>
</local-subnet>
<remote-subnet>192.168.x.x/24</remote-subnet>
<remote-gateway>64.112.x.x</remote-gateway>
<p1>
<mode>aggressive</mode>
<myident>
<address>12.202.x.x</address>
</myident>
<encryption-algorithm>3des</encryption-algorithm>
<hash-algorithm>md5</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>86400</lifetime>
<pre-shared-key>xxxxx</pre-shared-key>
</p1>
<p2>
<protocol>esp</protocol>
<encryption-algorithm-option>3des</encryption-algorithm-option>
<hash-algorithm-option>hmac_md5</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>86400</lifetime>
</p2>
<descr>PIX</descr>
</tunnel>
If I can provide any more info, please let me know.
Regards,
-Chris | 