[ previous ] [ next ] [ threads ]
 
 From:  "Joerg Horchler" <joerg dot horchler at coremedia dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  verbose logging and rekeying
 Date:  Tue, 13 Sep 2005 09:09:40 +0200
Hi together, 

currently I have two problems: 

1.)
I configured a VPN tunnel with one of our customers. I can see that a SA is established on the web
interface of m0n0wall. But when I try to send data through the tunnel it doesn't work. The only
things that I can see in the logs is

Sep 12 15:57:36 cvpndmz racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
50.50.50.50 queued due to no phase1 found.
Sep 12 15:57:36 cvpndmz racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1
negotiation: 200.200.0.5[500]<=>50.50.50.50[500]
Sep 12 15:57:36 cvpndmz racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
Sep 12 15:57:37 cvpndmz racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper
pskey, try to get one by the peer's address.
Sep 12 15:57:37 cvpndmz racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
200.200.0.5[500]-50.50.50.50[500] spi:6aaaf8e29d434461:21b5c9100fa7f094
Sep 12 15:57:38 cvpndmz racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
negotiation: 200.200.0.5[0]<=>50.50.50.50[0]
Sep 12 15:57:38 cvpndmz racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA established: ESP/Tunnel
50.50.50.50->200.200.0.5 spi=261483793(0xf95ed11)
Sep 12 15:57:38 cvpndmz racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established: ESP/Tunnel
200.200.0.5->50.50.50.50 spi=363928000(0x15b119c0)
Sep 12 15:58:34 cvpndmz racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
negotiation: 200.200.0.5[0]<=>50.50.50.50[0]
Sep 12 15:58:34 cvpndmz racoon: INFO: pfkey.c:1197:pk_recvupdate(): IPsec-SA established: ESP/Tunnel
50.50.50.50->200.200.0.5 spi=7344631(0x7011f7)
Sep 12 15:58:34 cvpndmz racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established: ESP/Tunnel
200.200.0.5->50.50.50.50 spi=1010446005(0x3c3a2eb5)

I'm not able to determine why I can't use the tunnel. It would be nice to have an option in the
web-gui to change the loglevel of racoon. Is this feature planned?

2.)
I configured another tunnel successfully in the past. This tunnel is currently working for a few
hours. After these hours the tunnel isn't working anymore. I think it is because our peer tries to
rekey the tunnel because the data-lifetime is reached. (The peer has configured a lifetime of 86400
seconds _OR_ 100000 kilobytes.) I'm missing this feature too. I know that racoon is able to set the
lifetime of phase two for seconds AND bytes. But this is not configurable in the GUI. Is this
feature planned for the future?

Cheers