AW: [m0n0wall] verbose logging and rekeying

From:	"Horchler, Joerg" <joerg dot horchler at coremedia dot com>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	AW: [m0n0wall] verbose logging and rekeying
Date:	Fri, 16 Sep 2005 11:11:34 +0200
Hi, 

I found a way to enable verbose logging:

use /exec.php to configure syslog.conf to send *.debug to a syslog-server. then kill racoon and
restart with -ddd 

your syslog will grow :-)

Regards
Jörg

-----Ursprüngliche Nachricht-----
Von: Joerg Horchler [mailto:joerg dot horchler at coremedia dot com] 
Gesendet: Dienstag, 13. September 2005 09:10
An: m0n0wall at lists dot m0n0 dot ch
Betreff: [m0n0wall] verbose logging and rekeying

Hi together, 

currently I have two problems: 

1.)
I configured a VPN tunnel with one of our customers. I can see that a SA is established on the web
interface of m0n0wall. But when I try to send data through the tunnel it doesn't work. The only
things that I can see in the logs is

Sep 12 15:57:36 cvpndmz racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for
50.50.50.50 queued due to no phase1 found.
Sep 12 15:57:36 cvpndmz racoon: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1
negotiation: 200.200.0.5[500]<=>50.50.50.50[500]
Sep 12 15:57:36 cvpndmz racoon: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode.
Sep 12 15:57:37 cvpndmz racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): couldn't find the proper
pskey, try to get one by the peer's address.
Sep 12 15:57:37 cvpndmz racoon: INFO: isakmp.c:2459:log_ph1established(): ISAKMP-SA established
200.200.0.5[500]-50.50.50.50[500] spi:6aaaf8e29d434461:21b5c9100fa7f094
Sep 12 15:57:38 cvpndmz racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
negotiation: 200.200.0.5[0]<=>50.50.50.50[0] Sep 12 15:57:38 cvpndmz racoon: INFO:
pfkey.c:1197:pk_recvupdate(): IPsec-SA established: ESP/Tunnel 50.50.50.50->200.200.0.5
spi=261483793(0xf95ed11) Sep 12 15:57:38 cvpndmz racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA
established: ESP/Tunnel 200.200.0.5->50.50.50.50 spi=363928000(0x15b119c0) Sep 12 15:58:34 cvpndmz
racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2 negotiation:
200.200.0.5[0]<=>50.50.50.50[0] Sep 12 15:58:34 cvpndmz racoon: INFO: pfkey.c:1197:pk_recvupdate():
IPsec-SA established: ESP/Tunnel 50.50.50.50->200.200.0.5 spi=7344631(0x7011f7) Sep 12 15:58:34
cvpndmz racoon: INFO: pfkey.c:1420:pk_recvadd(): IPsec-SA established: ESP/Tunnel
200.200.0.5->50.50.50.50 spi=1010446005(0x3c3a2eb5)

I'm not able to determine why I can't use the tunnel. It would be nice to have an option in the
web-gui to change the loglevel of racoon. Is this feature planned?

2.)
I configured another tunnel successfully in the past. This tunnel is currently working for a few
hours. After these hours the tunnel isn't working anymore. I think it is because our peer tries to
rekey the tunnel because the data-lifetime is reached. (The peer has configured a lifetime of 86400
seconds _OR_ 100000 kilobytes.) I'm missing this feature too. I know that racoon is able to set the
lifetime of phase two for seconds AND bytes. But this is not configurable in the GUI. Is this
feature planned for the future?

Cheers
Jörg

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch