Hi guys,

I set up a Monowall again to IPSec with a AVM Fritzbox. The AVM Box keeps changing IP Address every
night.
After the address change the tunnel fails. It has to be turned off and back on at the Monowall end
to make it work again.

Actual addresses: (DNS names are resolving correctly)

Monowall 77.xxx.xxx.173
AVM Box 79.xxx.xxx.121

The Messagelog of the Monowall:

Oct 29 07:13:26 racoon: INFO: IPsec-SA request for 79.xxx.xxx.153 queued due to no phase1 found.
Oct 29 07:10:22 racoon: INFO: delete phase 2 handler.
Oct 29 07:10:22 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP
79.xxx.xxx.153[500]->77.xxx.xxx.173[500]
Oct 29 07:10:00 racoon: ERROR: phase1 negotiation failed due to time up.
a503be1a50e0a8cd:0000000000000000
Oct 29 07:09:51 racoon: INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Oct 29 07:09:41 racoon: INFO: delete phase 2 handler.
Oct 29 07:09:41 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP
79.xxx.xxx.153[0]->77. xxx.xxx.173[0]
Oct 29 07:09:10 racoon: INFO: begin Aggressive mode.
Oct 29 07:09:10 racoon: INFO: initiate new phase 1 negotiation:
77.xxx.xxx.173[500]<=>79.xxx.xxx.153[500]
Oct 29 07:09:10 racoon: INFO: IPsec-SA request for 79.xxx.xxx.153 queued due to no phase1 found.

IPsec DNS check interval is actually set to 10 seconds.

79.xxx.xxx.153 was the AVM?s address yesterday.
It already starts wrong in the first line, SA request for 79.xxx.xxx.153. This is definitely not the
address where the request comes from, this is the address at the time when racoon had been restarted
the last time.
But, this is also the address stored under IPSec Diagnostics/SPD. Setting the DPD parameter to
different values didn?t help.
In my option that should have happened here, when Monowall detected that the Addresses don?t match
anymore:

Oct 29 02:36:07 racoon: INFO: ISAKMP-SA deleted 77.xxx.xxx.173[500]-79.xxx.xxx.153[500]
spi:6ca97a2eb335f7fb:7895e5cd21564ab5
Oct 29 02:36:07 racoon: ERROR: couldn't find configuration.
Oct 29 02:36:06 racoon: INFO: ISAKMP-SA expired 77.xxx.xxx.173[500]-79.xxx.xxx.153[500]
spi:6ca97a2eb335f7fb:7895e5cd21564ab5
Oct 29 02:36:06 racoon: WARNING: remote address mismatched. db=79.xxx.xxx.153[500],
act=79.xxx.xxx.121[500]
Oct 29 02:36:06 racoon: ERROR: failed to recv from pfkey (Resource temporarily unavailable)
Oct 29 02:36:06 racoon: WARNING: remote address mismatched. db=79.xxx.xxx.153[500],
act=79.xxx.xxx.121[500]
Oct 29 02:36:06 racoon: INFO: purged IPsec-SA proto_id=ESP spi=36494290.
Oct 29 02:36:06 racoon: WARNING: remote address mismatched. db=79.xxx.xxx.153[500],
act=79.xxx.xxx.121[500]

It might work with a shorter phase 1/2 interval but that only covers the real problem. If my
suspicion is correct it should work in 3 hours again, after phase 1 expired. (Established 2:34)
Are there any options to modify Racoon so that the SPD gets deleted as soon as the remote address
mismatch is detected? This should be done as soon as the IPSec DNS check interval is set.

Best Regards

Heinz




www.thewest.com.au

------------------------------------------------------------------------------------
West Australian Newspapers Group
------------------------------------------------------------------------------------ 
Privacy and Confidentiality Notice

The information contained herein and any attachments are intended solely for the named recipients.
It may contain privileged confidential information.  If you are not an intended recipient, please
delete the message and any attachments then notify the sender. Any use or disclosure of the contents
of either is unauthorised and may be unlawful. Any liability for viruses is excluded to the fullest
extent permitted by law.

Advertising Terms & Conditions
Please refer to the current rate card for advertising terms and conditions.  The rate card is
available on request or via www.thewest.com.au/ratecard

Unsubscribe
If you do not wish to receive emails such as this in future please reply to it with "unsubscribe" in
the subject line.