RE: [m0n0wall] Random lack of Dataflow over IPSEC VPN

From:	"Jai Ketteridge" <jai at innaloo dot net>
To:	"'Bjoern Euler'" <lists at edain dot de>, <m0n0wall at lists dot m0n0 dot ch>
Subject:	RE: [m0n0wall] Random lack of Dataflow over IPSEC VPN
Date:	Thu, 21 Dec 2006 23:08:07 +0900
After setting Phase 1 to 86400 and Phase 2 to 43200 I am still having
issues. After about 40 minutes the dataflow between sites ceases (doing
pings for example) and there is absolutely nothing in either firewall log to
say why. I have tried recreating the IPSEC connections and also refreshing
the SAD database by removing the SADs and letting them recreate themselves -
which they do within a matter of moments. After theyre recreated the ping
still doesnt work. During the time that the link works I can ping the other
firewalls LAN IP by pinging it from the monowall ping command and setting
the ping to go via the LAN (not WAN). Here is what a typical log looks like
from the Aussie Firewall:

Dec 21 16:58:34 racoon: DEBUG: get pfkey UPDATE message
Dec 21 16:58:34 racoon: DEBUG: pfkey UPDATE succeeded: ESP/Tunnel
58.x.x.x. [0]->203.x.x.x[0] spi=251282282(0xefa436a)
Dec 21 16:58:34 racoon: INFO: IPsec-SA established: ESP/Tunnel
58.x.x.x[0]->203.x.x.x[0] spi=251282282(0xefa436a)
Dec 21 16:58:34 racoon: DEBUG: ===
Dec 21 16:58:34 racoon: DEBUG: get pfkey ADD message
Dec 21 16:58:34 racoon: INFO: IPsec-SA established: ESP/Tunnel
203.x.x.x[0]->58.x.x.x[0] spi=181969559(0xad8a297)
Dec 21 16:58:34 racoon: DEBUG: ===
Dec 21 17:44:09 racoon: DEBUG: msg 1 not interesting
Dec 21 18:54:12 racoon: DEBUG: msg 1 not interesting
Dec 21 20:00:59 racoon: DEBUG: msg 1 not interesting
Dec 21 20:24:56 racoon: DEBUG: msg 1 not interesting
Dec 21 20:42:26 racoon: DEBUG: msg 1 not interesting

I would estimate that it is around the 20:00 time mark that the VPN stopped
flowing traffic. I thought that perhaps one of the ADSL links might be
playing up but my connection history is pretty rock solid. Any further
ideas?

Thanks again!


-----Original Message-----
From: Bjoern Euler [mailto:lists at edain dot de]
Sent: Wednesday, 20 December 2006 9:04 PM
To: m0n0wall at lists dot m0n0 dot ch
Cc: jai at innaloo dot net
Subject: Re: [m0n0wall] Random lack of Dataflow over IPSEC VPN


On 20.12.2006 12:29 Jai Ketteridge wrote:
> According to http://doc.m0n0.ch/handbook/ipsec-tunnels.html it says that
it
> recommends using 28880 for phase 1?
>
> Phase 1:
> Lifetime: This field is far more important then it appears. This lifetime,
> as opposed to the one in phase 2, is how long your end will wait for phase
1
> to be completed. I suggest using 28800 in this field.

I think that information is wrong. The lifetime for phase 1 specifies
the time Security Associations will last. It is no timeout!

When the specified phase 1 lifetime is over the IKE daemon starts a new
key exchange based on the certificate or pre shared key. The transmitted
keys are used to encrypt a second key exchange for the encryption of the
data (ESP, phase 2). The SA information is then used to generate new
keys for the ESP data flow based on the phase 2 lifetime.

See <http://www.freebsd.org/cgi/man.cgi?query=setkey&sektion=8> for some
basic information.

If phase 2 lifetime is higher than phase 1 the channels for key exchange
can get somehow out of sync and the tunnel starts failing after some time.

Note: phase 1 exchange (in main mode) takes the most cpu time when a
tunnel is established because it is based on Diffie-Hellman algorithm.

Regards
-Bjoern

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch