[ previous ] [ next ] [ threads ]
 
 From:  Michael Stecher <Michael dot Stecher at cib dot de>
 To:  "'Christopher M. Iarocci'" <iarocci at eastendsc dot com>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  AW: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME notification
 Date:  Wed, 26 Nov 2008 11:22:33 +0100
Hello!

I've checked the lifetime settings again and anything seems to be ok. The peer admin told me that
now the correct lifetime is transmitted and their cisco will also handle shorter lifetime cycles. So
maybe the problem is not the lifecycle?!?

I've made some other detection: if the peer side starts the tunnel first I've got following log
entry:
Nov 26 10:26:48 racoon: NOTIFY: the packet is retransmitted by x.x.x.x[500].
Nov 26 10:26:38 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Nov 26 10:26:38 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Nov 26 10:26:38 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Nov 26 10:26:38 racoon: INFO: begin Identity Protection mode.
Nov 26 10:26:38 racoon: INFO: respond new phase 1 negotiation: x.x.x.x[500]<=>x.x.x.x[500]

It look like the peer didn't receive a needed packet from our side, right?

Here is the complete log. Successful start on 09:05, problems on 09:54, try to reconnect from per on
10:26 and restart tunnel from our side on 10:52.

Nov 26 10:53:01 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.176/29[0]
x.x.x.249/24[0] proto=any dir=out
Nov 26 10:53:01 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.91/32[0]
x.x.x.99/24[0] proto=any dir=out
Nov 26 10:53:01 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.249/24[0]
x.x.x.176/29[0] proto=any dir=in
Nov 26 10:53:01 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.99/24[0]
x.x.x.91/32[0] proto=any dir=in
Nov 26 10:53:01 racoon: INFO: x.x.x.91[500] used for NAT-T
Nov 26 10:53:01 racoon: INFO: x.x.x.91[500] used as isakmp port (fd=12)
Nov 26 10:53:01 racoon: INFO: x.x.x.13[500] used for NAT-T
Nov 26 10:53:01 racoon: INFO: x.x.x.13[500] used as isakmp port (fd=11)
Nov 26 10:53:01 racoon: INFO: x.x.x.1[500] used for NAT-T
Nov 26 10:53:01 racoon: INFO: x.x.x.1[500] used as isakmp port (fd=10)
Nov 26 10:53:01 racoon: INFO: x.x.x.177[500] used for NAT-T
Nov 26 10:53:01 racoon: INFO: x.x.x.177[500] used as isakmp port (fd=9)
Nov 26 10:53:01 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 26 10:53:01 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Nov 26 10:53:01 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Nov 26 10:53:01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004
(http://www.openssl.org/)
Nov 26 10:53:01 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
Nov 26 10:53:00 racoon: INFO: racoon shutdown
Nov 26 10:52:59 racoon: INFO: caught signal 15
Nov 26 10:41:08 racoon: ERROR: x.x.x.3 give up to get IPsec-SA due to time up to wait.
Nov 26 10:40:38 racoon: INFO: initiate new phase 2 negotiation: x.x.x.1[500]<=>x.x.x.3[500]
Nov 26 10:27:28 racoon: ERROR: phase1 negotiation failed due to time up.
7c9ba353a31f1d4b:2cd4fca1d18f4037
Nov 26 10:27:28 last message repeated 4 times
Nov 26 10:26:48 racoon: NOTIFY: the packet is retransmitted by x.x.x.3[500].
Nov 26 10:26:38 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Nov 26 10:26:38 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Nov 26 10:26:38 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Nov 26 10:26:38 racoon: INFO: begin Identity Protection mode.
Nov 26 10:26:38 racoon: INFO: respond new phase 1 negotiation: x.x.x.13[500]<=>x.x.x.3[500]
Nov 26 09:54:30 racoon: ERROR: x.x.x.3 give up to get IPsec-SA due to time up to wait.
Nov 26 09:54:00 racoon: INFO: IPsec-SA expired: ESP/Tunnel x.x.x.3[0]->x.x.x.1[0]
spi=4350059(0x42606b)
Nov 26 09:54:00 racoon: INFO: initiate new phase 2 negotiation: x.x.x.1[500]<=>x.x.x.3[500]
Nov 26 09:54:00 racoon: INFO: IPsec-SA expired: ESP/Tunnel x.x.x.1[0]->x.x.x.3[0]
spi=2846965402(0xa9b13e9a)
Nov 26 09:05:59 racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.x.1[500]->x.x.x.3[500]
spi=2846965402(0xa9b13e9a)
Nov 26 09:05:59 racoon: INFO: IPsec-SA established: ESP/Tunnel x.x.x.3[0]->x.x.x.1[0]
spi=4350059(0x42606b)
Nov 26 09:05:59 racoon: WARNING: attribute has been modified.
Nov 26 09:05:59 racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Nov 26 09:05:59 racoon: INFO: initiate new phase 2 negotiation: x.x.x.1[500]<=>x.x.x.3[500]
Nov 26 09:05:58 racoon: INFO: ISAKMP-SA established x.x.x.1[500]-x.x.x.3[500]
spi:4ac5128ca16fa8be:f05900aec4be625c
Nov 26 09:05:58 racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Nov 26 09:05:58 racoon: INFO: received Vendor ID: DPD
Nov 26 09:05:58 racoon: INFO: received Vendor ID: CISCO-UNITY
Nov 26 09:05:57 racoon: INFO: begin Identity Protection mode.
Nov 26 09:05:57 racoon: INFO: initiate new phase 1 negotiation: x.x.x.1[500]<=>x.x.x.3[500]
Nov 26 09:05:57 racoon: INFO: IPsec-SA request for x.x.x.3 queued due to no phase1 found.
Nov 26 09:05:47 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.176/29[0]
x.x.x.249/24[0] proto=any dir=out
Nov 26 09:05:47 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.91/32[0]
x.x.x.99/24[0] proto=any dir=out
Nov 26 09:05:47 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.249/24[0]
x.x.x.176/29[0] proto=any dir=in
Nov 26 09:05:47 racoon: ERROR: such policy already exists. anyway replace it: x.x.x.99/24[0]
x.x.x.91/32[0] proto=any dir=in
Nov 26 09:05:47 racoon: INFO: x.x.x.91[500] used for NAT-T
Nov 26 09:05:47 racoon: INFO: x.x.x.91[500] used as isakmp port (fd=12)
Nov 26 09:05:47 racoon: INFO: x.x.x.13[500] used for NAT-T
Nov 26 09:05:47 racoon: INFO: x.x.x.13[500] used as isakmp port (fd=11)
Nov 26 09:05:47 racoon: INFO: x.x.x.1[500] used for NAT-T
Nov 26 09:05:47 racoon: INFO: x.x.x.1[500] used as isakmp port (fd=10)
Nov 26 09:05:47 racoon: INFO: x.x.x.177[500] used for NAT-T
Nov 26 09:05:47 racoon: INFO: x.x.x.177[500] used as isakmp port (fd=9)
Nov 26 09:05:47 racoon: INFO: 127.0.0.1[500] used for NAT-T
Nov 26 09:05:47 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=8)
Nov 26 09:05:47 racoon: INFO: Reading configuration from "/var/etc/racoon.conf"
Nov 26 09:05:47 racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004
(http://www.openssl.org/)
Nov 26 09:05:47 racoon: INFO: @(#)ipsec-tools 0.7 (http://ipsec-tools.sourceforge.net)
Nov 26 09:05:46 racoon: INFO: racoon shutdown
Nov 26 09:05:45 racoon: INFO: caught signal 15



And here is my racoon.conf:
path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

remote x.x.x.3 {
        exchange_mode main;
        my_identifier address "x.x.x.176";


        peers_identifier address x.x.x.3;
        initial_contact on;
        support_proxy on;
        proposal_check obey;
        dpd_delay 0;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 5;
                lifetime time 86400 secs;
        }
        lifetime time 86400 secs;
}

sainfo address x.x.x.176/29 any address x.x.x.249/24 any {
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 secs;
}



The peer is a customer of our company. At the moment I haven't this config.

Many thanks to all!

Kind regards,
Michael



Von: Christopher M. Iarocci [mailto:iarocci at eastendsc dot com]
Gesendet: Mittwoch, 26. November 2008 01:00
An: Michael Stecher
Cc: m0n0wall at lists dot m0n0 dot ch
Betreff: Re: [m0n0wall] Problems with IPSec Site to Site Tunnel: ignore RESPONDER-LIFETIME
notification

Michael Stecher wrote:
> Hello List!
>
> I've got a Problem with our IPSec tunnel. Tunnel work's fine for about an hour. After this time we
can't send any packets. Only a restart of the tunnel brings it up again - for about the next hour.
>
> Maybe this is the problem:
>
> At the beginning of the connection we receive this warning:
> racoon: WARNING: attribute has been modified.
> racoon: WARNING: ignore RESPONDER-LIFETIME notification.
>
> I've found some threads about this problem. To solve this problem we should use same key lifetime
as our peer. The peer has a lifetime (phase 1) about 86400 secs.
>
> But whatever I set this value the peer will receive a lifetime of 28800:
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):Checking ISAKMP transform 1 against priority 8 policy
> Nov 25 12:11:51.899: ISAKMP:      life type in seconds
> Nov 25 12:11:51.899: ISAKMP:      life duration (basic) of 28800
> Nov 25 12:11:51.899: ISAKMP:      encryption 3DES-CBC
> Nov 25 12:11:51.899: ISAKMP:      auth pre-share
> Nov 25 12:11:51.899: ISAKMP:      hash SHA
> Nov 25 12:11:51.899: ISAKMP:      default group 5
> Nov 25 12:11:51.899: ISAKMP:(0:0:N/A:0):atts are acceptable. Next payload is 0
>
> Did anybody know this problem? Is there another problem?
>
> The peer is a CISCO router, I don't know which one. On our side it's a m0n0wall 1.3b15.
>
> Have many thanks for your help.
>
> Kind regards,
> Michael
>
I have 4 tunnels set up from my m0n0wall (also 1.3b15) to Cisco routers
that are reliable and stay up 24/7.  However, I've had the problem you
are having and it was always a mis-match of the lifetime setting.  Be
110% sure these numbers match or you will be constantly trying to figure
out why they come up then drop.  For reference, I have my lifetime
setting on 3600 seconds.  However, my setting may not be what you
need/want.  I am simply stating that setting to demonstrate that what
you put in that setting does matter.  I know that 28800 is the default
setting on a Cisco and it appears you probably haven't changed that to
match your 86400 you have on the m0n0wall.  Try setting the m0n0wall to
28800.  If you could show us your configs on both sides we may be able
to help further.

Chris

P.S. Those racoon warnings are just that, warnings.  I have the
identical warnings with stable tunnels.