#79 ipsec-tunnel becomes inoperative periodically

open
nobody
None
5
2010-12-02
2010-12-02
Yury Bilkovs'ky
No

Ipsec-tools v. 0.7.3, FreeBsd 7.1 <---> D-Link DI-804HV.
I have ipsec-tuunel between two offices. All wors nice. But periodically ipsec-tunnet becomes inoperative: does not work even ping from one side to other. Restarting D-link does not help. Only restarting racoon helps.
This is a part of racoon's log at that moment:
...
2010-11-27 10:26:03: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=231504593(0xdcc7ad1)
2010-11-27 10:26:03: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1207959568(0x48000010)
2010-11-27 10:26:04: INFO: ISAKMP-SA deleted XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:533aec9f0a036333:c822144f933d5475
2010-11-27 10:51:36: ERROR: unknown Informational exchange received.
2010-11-27 10:51:36: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[500]
2010-11-27 10:51:36: INFO: begin Identity Protection mode.
2010-11-27 10:51:36: WARNING: SPI size isn't zero, but IKE proposal.
2010-11-27 10:51:36: INFO: ISAKMP-SA established XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:a3b014adc0ca9132:64fde296716df57d
2010-11-27 10:51:36: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[0]<=>YY.YY.YY.YY[0]
2010-11-27 10:51:37: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=239437563(0xe4586fb)
2010-11-27 10:51:37: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1308622864(0x4e000010)
2010-11-27 10:53:07: INFO: purged IPsec-SA proto_id=ESP spi=1308622864.
2010-11-27 10:53:07: INFO: ISAKMP-SA expired XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:a3b014adc0ca9132:64fde296716df57d
2010-11-27 10:53:07: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[500]
2010-11-27 10:53:07: INFO: begin Identity Protection mode.
2010-11-27 10:53:07: WARNING: SPI size isn't zero, but IKE proposal.
2010-11-27 10:53:07: INFO: ISAKMP-SA established XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:5a8d85109ccb8221:131c88f5f1333733
2010-11-27 10:53:07: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[0]<=>YY.YY.YY.YY[0]
2010-11-27 10:53:07: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=194230684(0xb93b99c)
2010-11-27 10:53:07: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1342177296(0x50000010)
2010-11-27 10:53:08: INFO: ISAKMP-SA deleted XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:a3b014adc0ca9132:64fde296716df57d
2010-11-27 10:54:38: INFO: purged IPsec-SA proto_id=ESP spi=1342177296.
2010-11-27 10:54:38: INFO: ISAKMP-SA expired XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:5a8d85109ccb8221:131c88f5f1333733
2010-11-27 10:54:38: INFO: respond new phase 1 negotiation: XX.XX.XX.XX[500]<=>YY.YY.YY.YY[500]
2010-11-27 10:54:38: INFO: begin Identity Protection mode.
2010-11-27 10:54:38: WARNING: SPI size isn't zero, but IKE proposal.
2010-11-27 10:54:38: INFO: ISAKMP-SA established XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:c8f7bae16bbd02a0:ab49cfac3dbecda9
2010-11-27 10:54:38: INFO: respond new phase 2 negotiation: XX.XX.XX.XX[0]<=>YY.YY.YY.YY[0]
2010-11-27 10:54:38: INFO: IPsec-SA established: ESP/Tunnel YY.YY.YY.YY[0]->XX.XX.XX.XX[0] spi=200192469(0xbeeb1d5)
2010-11-27 10:54:38: INFO: IPsec-SA established: ESP/Tunnel XX.XX.XX.XX[0]->YY.YY.YY.YY[0] spi=1375731728(0x52000010)
2010-11-27 10:54:39: INFO: ISAKMP-SA deleted XX.XX.XX.XX[500]-YY.YY.YY.YY[500] spi:5a8d85109ccb8221:131c88f5f1333733
...
("ISAKMP-SA deleted" repeating because of D-Link's "IKE Keep Alive" is enabled (it restarts tunnel every 90 seconds).)
As D-link as freebsd says that ipsec-tunnel is up, but it doesn't work!
Some strange error occured at 10:51:36, and tunnel becomed inoperative.
This situation repeates every several days.
Is it possible to fix this bug?

This is "racoon.conf" file's content:

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/usr/local/etc/cert" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen
{
isakmp XX.XX.XX.XX [500];
}

timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}

remote anonymous
{
exchange_mode main,aggressive;
#exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;

#my_identifier address;
my_identifier address XX.XX.XX.XX;
peers_identifier address YY.YY.YY.YY;
#certificate_type x509 "mycert" "mypriv";

nonce_size 16;
lifetime time 3600 sec; # sec,min,hour
initial_contact on;
support_proxy on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 1 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}

Discussion