[ previous ] [ next ] [ threads ]
 From:  Robert Rich <rrich at gstisecurity dot com>
 To:  Holger Bauer <Holger dot Bauer at citec dash ag dot de>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  =?ISO-8859-1?Q?Re=3A_=5Bm0n0wall=5D_IPSEC_Tunnel_between?= =?ISO-8859-1?Q?_static_an_dynamic_IP_expires_and_doesn=B4t?= =?ISO-8859-1?Q?_come_up_again?=
 Date:  Mon, 27 Dec 2004 22:34:13 -0500
I was just about to post a message just like this one.

Same circumstances, same build, same hardware, same behavior and same 
log messages.

Same question. :)

I just temporarily bumped my phase2 lifetime to determine if it is 
related (it appears to be, as the log messages below indicate)

I can get a new tunnel by rebooting the firewall as well, or deleting 
the old SA and let it recreate one

There are no actual indicators of a problem, it's like you say, it's 
just ignoring the fact that the tunnel isn't actually working.  There 
are no error messages generated, and no indication that it's trying to 
fix anything.  I do see active SA's, which i'm assuming it has recreated 
after the default phase2 lifetime has expired.

Is it possible to turn on any debug logging?

I'm running the expanded lifetime now, should find out in the morning if 
it 'fixed' the problem.

Any clues as to where we should look?

Holger Bauer wrote:

>The static IP m0n0 awaits "mobile clients" and uses it´s static IP as it´s identifier. For the
dynamic m0n0 I added an Identifier with preshared Key and Secret.
>The dynamic m0n0 has a tunnel defined to the static m0n0. Parameters and identifiers are exactly
the same on both sides. Lifetime of the keys is identical and the m0n0s are in timesync (nearly)
using the same timeserver. 
>The tunnel comes up after saving the ipsecsettings. After reboot the tunnel comes up also. After a
while the tunnel goes down, even if I have placed the hook in autoestablish and are pinging from a
client behind the dynamic m0n0 to a server behind the static m0n0. The last messeges in the log are
the following:
>Dec 27 17:02:03	 racoon: INFO: pfkey.c:1466:pk_recvexpire(): IPsec-SA expired: ESP/Tunnel
XXX.XXX.XXX.STATIC->XXX.XXX.XXX.DYNAMIC spi=18385805(0x1188b8d)	 
>Dec 27 17:02:04	 racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA established: ESP/Tunnel
XXX.XXX.XXX.STATIC->XXX.XXX.XXX.DYNAMIC spi=190768296(0xb5ee4a8)	 
>Dec 27 17:02:04	 racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established: ESP/Tunnel
XXX.XXX.XXX.DYNAMIC ->XXX.XXX.XXX.STATIC spi=164063250(0x9c76812)	 
>Dec 27 17:04:01	 racoon: INFO: isakmp.c:1526:isakmp_ph1expire(): ISAKMP-SA expired
XXX.XXX.XXX.DYNAMIC [500]-XXX.XXX.XXX.STATIC[500] spi:eb882035d39f06b0:c13f6f7948a2230e 
>Dec 27 17:04:02	 racoon: INFO: isakmp.c:1574:isakmp_ph1delete(): ISAKMP-SA deleted
XXX.XXX.XXX.DYNAMIC [500]-XXX.XXX.XXX.STATIC[500] spi:eb882035d39f06b0:c13f6f7948a2230e	
>After that the tunnel can only be reestablished by saving and applying the ipsecsettings on the
dynamic m0n0, but the tunnel is kept alive for some minutes and breaks down again. It seems, that
the dynamic m0n0 doesn´t try to reestablish the link as there is no activity anymore in the logfiles
after going down.
>I use wraps on both sides with m0n0 1.2b3 images. Anyone had these problems before or can give me a
>Thanks for everything in advance,
>Holger Bauer
>Virus checked by G DATA AntiVirusKit
>Version: AVK 15.0.1774 from 27.12.2004
>Virus news: www.antiviruslab.com
>Virus checked by G DATA AntiVirusKit
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch