[ previous ] [ next ] [ threads ]
 
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] 1.2b1 IPsec SA issues
 Date:  Fri, 1 Oct 2004 00:58:31 -0400
On Thu, 30 Sep 2004 20:56:26 -0700 (PDT), Fred Wright <fw at well dot com> wrote:
> 
> On Thu, 30 Sep 2004, Chris Buechler wrote:
> 
> > Well, new issues with my PIX <-> m0n0wall VPN.  I'm pretty sure this
> > time it's because of the byte limit imposed by the PIX.  If I'm
> > transferring heavily over the connection, it'll drop after a while.
> > No duplicate SA's exist on the m0n0wall side this time.  The log
> > messages on the PIX side are the same as before.
> 
> When it's in the failing state, look at the SAs on both sides.  On
> m0n0wall, you'll need to use "setkey -D", since not all the information of
> interest is shown in the GUI SAD display.  I don't know what the Cisco
> equivalent is.  Look in particular at the SPIs, but also the lifetime
> info.
> 

Ok, I'll beat it up over the weekend and see what I can find out.  I
know all the debug and show commands on the PIX, so I'll be able to
get the appropriate info.


> 
> Does "a few hours" correlate with the lifetime?
> 

Lifetime is 86,400 seconds, or 24 hours, so no.  I've dropped it a
couple times within 6-8 hours, so there doesn't seem to be any
correlation there.


> 
> Making it work right would be best. :-)

Indeed!  I'll be glad to see what I can do.  With the info you
provided, I should be able to successfully troubleshoot this. (maybe
with a little more hand holding in the future)  :)


> 
> I can see how "prefer newer" could cause out-of-order expirations of byte-
> or packet-based lifetimes, although it's still not clear why this should
> cause a loss of connectivity.
> 
> You could check to see if it's an issue with "prefer newer" by switching
> the sysctl back.  You can do it on the fly with
> 
>         sysctl -w net.key.preferred_oldsa=1
> 
> though that will be undone by /etc/inc/vpn.inc on the next change to the
> IPsec config (or reboot).  Meanwhile, the problem with reboots would be
> back, of course.

Thanks, you've provided some good things to try.  I'll see what I can
determine and post back.

-Chris