Re: [m0n0wall-dev] 1.2b1 IPsec SA issues

From:	Chris Buechler <cbuechler at gmail dot com>
To:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall-dev] 1.2b1 IPsec SA issues
Date:	Mon, 27 Sep 2004 03:36:47 -0400

On Mon, 27 Sep 2004 09:03:29 +0200, Vincent Fleuranceau
<vincent at bikost dot com> wrote:
> > The duplicate SA issue is happening to me almost exactly every 2
> > hours today (give or take a few minutes).  Always src IP PIX, dst IP
> > m0n0wall public IP, single SA in the other direction.  Deleting all
> > the SA's for that connection makes it come back within a couple
> > seconds.
> 
> I've found several (similar) entries in your log that make me think that
> both racoon and PIX do not use *exactly* the same settings:
> 
>     pfs group mismatched: my:2 peer:0
> 
> It would be interesting to get the PIX's log, too.
> 

I just noticed that.  Never did it before 1.2.  Interesting.  I did
notice one difference between the two on lifetime, and fixed that. 
Maybe this version is more picky with mismatched settings?  I don't
know, it's been as it is now for more than 5 months, and just now
breaks?


The PIX log gets flooded with about 40-50 messages like this every
time it goes down.


Sep 27 00:00:01 192.168.x.x local4.warn Sep 26 2004 23:59:53:
%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for
destaddr=64.112.x.x, prot=esp, spi=0x75728714(1970439956)
Sep 27 00:00:01 192.168.x.x local4.warn Sep 26 2004 23:59:54:
%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for
destaddr=64.112.x.x, prot=esp, spi=0x75728714(1970439956)
Sep 27 00:00:07 192.168.x.x local4.warn Sep 27 2004 00:00:00:
%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for
destaddr=64.112.x.x, prot=esp, spi=0x75728714(1970439956)
Sep 27 00:00:07 192.168.x.x local4.warn Sep 27 2004 00:00:00:
%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for
destaddr=64.112.x.x, prot=esp, spi=0x75728714(1970439956)