[ previous ] [ next ] [ threads ]
 From:  John Auld <jxa at minervaplc dot com>
 To:  "'m0n0wall at lists dot m0n0 dot ch'" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSec VPN Problem on Monowall 1.0
 Date:  Mon, 2 Aug 2004 12:30:27 +0100
With the generic-cdrom version of M0n0wall, I am having trouble with mobile
IPSec VPN clients being unable to connect using the SafeNet SoftremoteLT
version 8 client.

The symptoms are that the client can connect initially but after they
disconnect, they are unable to reconnect until the m0n0wall server is
rebooted. This problem was only noticed after testing m0n0wall with a single
vpn client. All seemed OK until the vpn was deployed to five users. 

When the problem happens, the Ipsec status page shows many of SAD's for the
IP address of the client (many = more than one pair - I have seen six
SAD's). Once this was noticed, I found that I can fix the problem by
deleting all of the SAD's and SPD's for the clients IP address, which is
better than rebooting the server, because it does not disconnect the other
VPN users.

It seems that racoon does not tidy up the SAD's/SPD's properly. The problem
report on http://www.mail-archive.com/freebsd dash net at freebsd dot org/msg10324.html
describes a situation where a bug in racoon causes IPSec clients to die
after the timeout of the initial connection. I don't think that this is the
same as the problem I get, because a 5 min timeout on all timeout settings
for IPSec does not cause the same issue, even when the client has been
connected for many hours. However, the problem is similar, in that it
involves a problem with the cleaning up of SAD's and SPD's.

It seems that the IPSec features of m0nowall are not useable until this
issue is fixed.

John Auld 
Systems Administrator
DISCLAIMER:This message is intended only for the use of the person(s) ("the
intended recipient(s)") to whom it is addressed. It may contain information
which is privileged, proprietary and/or confidential within the meaning of
applicable law. If you are not the intended recipient, be advised that you
have received this email in error and that any use, dissemination,
forwarding, printing or copying of this message (including any attachments)
is strictly prohibited. If you have received this message in error, please
contact the sender of this message as soon as possible. The views or
opinions expressed in this message are those of the author and may not
necessarily be the views held by Azurgroup Limited.