From: Ari Suutari <ari.suutari@sy...> - 2005-04-27 05:40:50
I have about 20 ipsec tunnels between central FreeBSD machine and remote
FreeBSD boxes, which have been running kame racoon on both ends.
Recently, I updated my central FreeBSD ipsec machine
from racoon-20040818a to ipsec-tools 0.5.1. Things seemed to work ok, but
soon we noticed that some tunnels didn't work. I tried restarting racoon at
remote end, but it didn't help. Restarting the racoon (or flushing SAs with setkey -F) on
central box cleared the situation.
Further examination reveled that for some reason, there were duplicate
SAs negoatiated between racoons. When looking at remote end
there were two similar SAs to both directions, when normally there
are only one SA per direction. Duplicate SAs had same creation time.
The racoon log also shows that extraneous SAs were negotiated.
Is this a known problem with a fix ? I had to backup to old kame racoon
version to get things running normally, but I can at least temporarily
switch to ipsec-tools if more information is needed.
Ari Suutari <ari.suutari@...> wrote:
> Is this a known problem with a fix ?
Could this be multiple SA for hosts behind a NAT?
Otherwise, could you give a try to HEAD, to check if the problem still
From: Ari Suutari <ari.suutari@sy...> - 2005-04-27 07:30:33
> Could this be multiple SA for hosts behind a NAT?
No, there is no NAT involved in this setup.
> Otherwise, could you give a try to HEAD, to check if the problem still
I can try it. I'm away for rest of the week and for next week so
it won't happen immediately. I'll test HEAD version and
report back how it works.