Hello,

I have an ipsec tunnel going from my debian gateway to a sonicwall firewall with a static IP address.

Tunnel get's established without problems initially, but after some time I'm unable to send packets to the tunnel. Even though the tunnel is established pings don't go through.

racoonctl shows me the following , seems to indicate that there are duplicate SAs created.

Code:

root@ubuntu:~$ sudo racoonctl ss isakmp
Destination            Cookies                           Created
67.221.256.46.500      7bbb54cb9d35712c:ba13bf18daf0befb 2009-10-22 18:36:59
97.34.18.242.500       5a8822053b69c999:76c982679e4c454b 2009-10-22 18:36:04
67.221.256.46.500      05615456125e9a98:9441d995120f33b5 2009-10-22 18:06:04
67.221.256.46.500      dfaa5e414c6a84a6:710aad570ff3e4bb 2009-10-22 18:06:11
97.34.18.242.500       5bbbaefd910f79c3:80babab33396ad8f 2009-10-22 18:05:59

There are duplicate isakmp and corresponding duplicate esp and Ipsec entries.

Also, a racoon/setkey restart clears the entries and starts new SA negotiations. The logs show that the SA has been established but no packets go through.

My racoon.conf and ipsec-tools.conf

racoon.conf :

remote 67.221.256.46 {
       exchange_mode main;
       nat_traversal off;
       initial_contact on;
       my_identifier fqdn "network1.test";
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
}

sainfo subnet 192.168.56.0/24[any] any subnet 192.168.25.0/24[any] any {
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

ipsec-tools.conf :

flush;
spdflush;

spdadd 192.168.56.0/24 192.168.25.0/24 any -P out ipsec
               esp/tunnel/192.168.56.254-67.221.256.46/require;
spdadd 192.168.25.0/24 192.168.56.0/24 any -P in ipsec
               esp/tunnel/67.221.256.46-192.168.56.254/require;


I've read that using "initial_contact on" in the tunnel could help. However, using that parameter in racoon.conf and restarting hasn't solved the problem and the man page says it's on by default anyway.

Maybe some Sonicwall-Racoon interoperability issue?

Thanks and Happy new year!

-- Raghu