Re: [m0n0wall] IPSec VPN Problem on Monowall 1.0

From:	Vincent Fleuranceau <vincent at bikost dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall] IPSec VPN Problem on Monowall 1.0
Date:	Tue, 03 Aug 2004 15:05:15 +0200

The problem is back again :-(

I've rebooted the local m0n0wall and tried to ping a machine on the 
remote network to get the tunnel running again.

But the tunnel is down. Once again, I get:

racoon: ERROR: isakmp.c:1786:isakmp_chkph1there(): phase2 negotiation 
failed due to time up waiting for phase1.

The remote m0n0wall may not properly update its SAD and SPD information.

So, would it be possible to make the remote m0n0wall test the tunnel on 
a regular basis and delete the "poisoned" SAD and SPD entries by itself? 
I know, this is not clean at all, this is just an idea.

Is there something that could tell Racoon: "Hey, you know what? Your SAD 
and SPD must be deleted because they have not been used for xx seconds".

More, I've notice the racoon.conf file does not includes timer 
information, I mean something like:

timer
{
     # These value can be changed per remote node.
     counter 5;        # maximum trying count to send.
     interval 20 sec;    # maximum interval to resend.
     persend 1;        # the number of packets per a send.

     # timer for waiting to complete each phase.
     phase1 30 sec;
     phase2 15 sec;
}

Are there default built-in values for this? May the use of well chosen 
values resolve our current problems?

Comments, ideas are welcome.

-- Vincent

PS : Could someone kidnap Manuel?