From: Wei <wc...@lu...> - 2007-01-27 17:48:05
|
Hi All, I am using Racoon to set up IPSec tunnels with a Netscreen, the tunnels are configured to expire once an hour on the Netscreen. After a few hours the tunnels often fail to re-establish, I had to manually run "setkey" to flush the old keys. But sometimes even that fail to re-establish the tunnels, and at this point "killall racoon" won't kill it, I have to use -9. The admin of the Netscreen told me the re-negotiation failed because Racoon was trying to use the expired keys. In my log I see messages like these (IP addresses altered): Jan 21 01:02:38 fc519521 racoon: INFO: IPsec-SA expired: ESP/Tunnel 69.180.103.238[0]->71.76.95.21[0] spi=163567833(0x9bfd8d9) Jan 21 01:02:38 fc519521 racoon: ERROR: 63.110.103.238 give up to get IPsec-SA due to time up to wait. Jan 21 01:02:38 fc519521 racoon: INFO: respond new phase 2 negotiation: 71.76.95.21[500]<=>69.180.103.238[500] Jan 21 01:02:38 fc519521 racoon: NOTIFY: the packet is retransmitted by 69.180.103.238[500]. Jan 21 01:02:38 fc519521 racoon: WARNING: the packet retransmitted in a short time from 69.180.103.238[500] Jan 27 08:39:05 fc519521 racoon: ERROR: no policy found: id:15665. Jan 27 09:41:35 fc519521 racoon: ERROR: 69.180.103.238 give up to get IPsec-SA due to time up to wait. Is this a known bug? I am using the following version: ipsec-tools-0.6.4-1.1 on kernel 2.6.18-1.2257.fc5 - Wei |