[ previous ] [ next ] [ threads ]
 
 From:  Jukka Salmi <j+m0n0wall at 2004 dot salmi dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] IPSec VPN Problem on Monowall 1.0
 Date:  Mon, 2 Aug 2004 16:52:22 +0200 
Hi,

Vincent Fleuranceau --> m0n0wall (2004-08-02 14:34:17 +0200):
> I have the same problem, but not with mobile clients.
> 
> I have 2 sites connected via a IPsec VPN. Both tunnel ends use exactly 
> the same config (running 1.1b16).
> 
> If I manually reboot the remote IPSec gateway (to simulate a power loss, 
> for example), the tunnel is unable to re-establish itself. I have to 
> reboot *both* machines! If I reboot only one machines, it seems some 
> buggy persistent SA prevent the racoon to go further.

Similar problem here:

- local side (A.A.A.A) runs m0n0wall 1.1b16, remote side (B.B.B.B) is
  m0n0wall 1.0

- IPsec VPN works fine until remote side is rebooted

- after remote side is up again I try to establish the VPN connection
  by sending a ICMP packet from the local side over the tunnel

- local side logs:
  racoon: INFO: isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2
  	negotiation: A.A.A.A[0]<=>B.B.B.B[0]
  racoon: ERROR: isakmp_inf.c:141:isakmp_info_recv(): ignore information
  	because the message has no hash payload.
  last message repeated 2 times
  racoon: ERROR: pfkey.c:804:pfkey_timeover(): B.B.B.B give up to
  	get IPsec-SA due to time up to wait.

- remote side logs:
  racoon: ERROR: isakmp.c:490:isakmp_main(): can't start the quick mode,
  	there is no ISAKMP-SA, aa2ecfdd4c608fa9:6a3051a4cbce1e88:0000c65f

- "Diagnostics -> IPsec" on local side displays:
  Source   Destination  Protocol  SPI       Enc. alg.  Auth. alg.
  B.B.B.B  A.A.A.A      ESP 	  08318690  3des-cbc   hmac-sha1
  B.B.B.B  A.A.A.A      ESP 	  0326d2b0  replay=0   pid=1049

- 'setkey -D' on local side:
  B.B.B.B A.A.A.A 
	esp mode=tunnel spi=137463440(0x08318690) reqid=16564(0x000040b4)
	E: 3des-cbc  a903b945 8589ce49 136a62bf 67fe6d47 401ee686 154e7f41
	A: hmac-sha1  73122de1 29c02b56 d5c8d5e1 81784a4d 47ddcaad
	seq=0x00000000 replay=4 flags=0x00000000 state=mature 
	created: Aug  2 16:00:59 2004	current: Aug  2 16:12:55 2004
	diff: 716(s)	hard: 3600(s)	soft: 2880(s)
	last: Aug  2 16:09:53 2004	hard: 0(s)	soft: 0(s)
	current: 6864(bytes)	hard: 0(bytes)	soft: 0(bytes)
	allocated: 66	hard: 0	soft: 0
	sadb_seq=22 pid=1019 refcnt=1
  B.B.B.B A.A.A.A 
	esp mode=tunnel spi=206340026(0x0c4c7fba) reqid=16564(0x000040b4)
	seq=0x00000000 replay=0 flags=0x00000000 state=larval 
	sadb_seq=21 pid=1019 refcnt=1


> I first thought I had misconfigured the lifetimes values (see my 
> previous posts), but it seems it works very well 24/24 if no machine has 
> to bee rebooted. On the other hand, I can reproduce the error 80% of the 
> time.

So far it's 100% here...


Cheers, Jukka

-- 
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~