From: Zeus V P. <ze...@ib...> - 2011-07-12 14:47:19
|
Hi, i'm facing weird situation ... may somebody advice, please? after tunnel *up and working* for some time, racoon hangs in several minutes (especially under the load), but if i launch ping to my peers tunnel address in background, than everything works and only rarely hangs ... what can be wrong? > uname -a FreeBSD 8.2-STABLE amd64 my peer is Cisco PIX > pkg_info|grep ipsec ipsec-tools-0.7.3 KAME racoon IKE daemon, ipsec-tools version > ifconfig gif0 gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1280 tunnel inet X.X.X.X --> Y.Y.Y.Y inet A.A.A.A --> B.B.B.B netmask 0xffffff00 options=1<ACCEPT_REV_ETHIP_VER> > cat setkey.conf flush; spdflush; # X.X.X.X - my external (wan) ip address # Y.Y.Y.Y - my ipsec peer external (wan) ip address # A.A.A.A - my tunnel peering address # B.B.B.B - my ipsec peer, tunnel peering address # B.B.B.0/24 - my ipsec peer, subnet i need to access spdadd A.A.A.A A.A.A.A any -P out none; spdadd A.A.A.A A.A.A.A any -P in none; spdadd A.A.A.A B.B.B.0/24 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; spdadd B.B.B.0/24 A.A.A.A any -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require; > cat racoon.conf path include "/usr/local/etc/racoon"; path pre_shared_key "/usr/local/etc/racoon/psk.txt"; padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } { counter 10; interval 10 sec; persend 2; phase1 30 sec; phase2 15 sec; } log debug2; remote anonymous { exchange_mode main,base; lifetime time 24 hours ; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } proposal_check strict; } sainfo anonymous { pfs_group 2; lifetime time 1 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } -- Zeus V. Panchenko JID:ze...@gn... GMT+2 (EET) |
From: VANHULLEBUS Y. <va...@fr...> - 2011-07-12 15:09:11
|
On Tue, Jul 12, 2011 at 05:47:09PM +0300, Zeus V Panchenko wrote: > Hi, Hi. > i'm facing weird situation ... may somebody advice, please? > > after tunnel *up and working* for some time, racoon hangs in several > minutes (especially under the load), but if i launch ping to my peers > tunnel address in background, than everything works and only rarely > hangs ... What do you have *exactly* ? Racoon crashes ? does not negociate / accepts peers negociations anymore ? Do you still see "something" going out to the network (related to the IPsec tunnel) ? Do you have any error messages on racoon's debug ? > what can be wrong? If your IPsec tunnel uses NAT-T, move to ipsec-tools 0.8.0 (but I'm not sure it would work at all with 0.7.x / FreeBSD 8.2 with NAT-T), and add some NAT-T keepalive to your configuration (which may explain why it does work most of the time when you have a running ping). If you're not using NAT-T..... you may still have some NAT/filtering issues on the way, which may also explain why it does almost works when you're running a ping in background. Again, check racoon's debug and what is sent/received on both peers, which will help us understand what is the real issue. Yvan. |
From: Zeus V P. <ze...@ib...> - 2011-07-15 08:02:58
|
VANHULLEBUS Yvan (va...@fr...) [11.07.12 18:09] wrote: > What do you have *exactly* ? > Racoon crashes ? no, it doesn't it remains in processes > does not negociate / accepts peers negociations anymore ? looks like it is quietly hangs ... no i/o and nothing in debug.log until restart: Jul 15 09:45:31 my-host racoon: DEBUG: ... ... ... ... ... ... ... ... ... ... ... ... ... ... Jul 15 09:45:31 my-host racoon: DEBUG: sockname X.X.X.X[500] Jul 15 09:45:31 my-host racoon: DEBUG: send packet from X.X.X.X[500] Jul 15 09:45:31 my-host racoon: DEBUG: send packet to Y.Y.Y.Y[500] Jul 15 09:45:31 my-host racoon: DEBUG: 1 times of 60 bytes message will be sent to Y.Y.Y.Y[500] Jul 15 09:45:31 my-host racoon: DEBUG: 2 times of 60 bytes message will be sent to Y.Y.Y.Y[500] Jul 15 09:45:31 my-host racoon: DEBUG: ... ... ... ... ... ... ... ... ... ... ... ... ... ... --== HERE IT WAS racoon restart Jul 15 10:22:29 my-host racoon: DEBUG2: flushing all ph2 handlers... Jul 15 10:22:29 my-host racoon: DEBUG2: got a ph2 handler to flush... Jul 15 10:22:29 my-host racoon: DEBUG2: getph1: start Jul 15 10:22:29 my-host racoon: DEBUG2: local: X.X.X.X[500] Jul 15 10:22:29 my-host racoon: DEBUG2: remote: Y.Y.Y.Y[500] Jul 15 10:22:29 my-host racoon: DEBUG2: p->local: X.X.X.X[500] Jul 15 10:22:29 my-host racoon: DEBUG2: p->remote: Y.Y.Y.Y[500] Jul 15 10:22:29 my-host racoon: DEBUG2: matched Jul 15 10:22:29 my-host racoon: DEBUG: compute IV for phase2 Jul 15 10:22:29 my-host racoon: DEBUG: phase1 last IV: ... > Do you still see "something" going out to the network (related to the IPsec tunnel) ? nothing comming to me from my peer, while from me i see: # tcpdump -n -i vlan11 -ettt -s0 host Y.Y.Y.Y 00:00:02.931277 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3c8), length 100 00:00:00.067979 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3c9), length 100 00:00:00.140015 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3ca), length 100 00:00:01.597542 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3cb), length 100 00:00:00.285429 ethertype IPv4 (0x0800), length 166: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3cc), length 132 00:00:01.108983 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3cd), length 100 00:00:00.067974 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3ce), length 100 00:00:01.537014 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3cf), length 100 00:00:01.594976 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3d0), length 100 00:00:00.067983 ethertype IPv4 (0x0800), length 134: X.X.X.X > Y.Y.Y.Y: ESP(spi=0x09b48307,seq=0x3d1), length 100 and nothing at all on the interface gif0 since tunnel breaks > Do you have any error messages on racoon's debug ? no any keyword warning or error in debug ... after the hanging occured, no row from racoon in debug.log at all as i showed above in messages log i have this: Jul 15 09:45:31 my-host racoon: alg_oakley_hmacdef_one(hmac_sha1 size=189): 0.000017 Jul 15 09:45:31 my-host racoon: alg_oakley_hmacdef_one(hmac_sha1 size=169): 0.000017 Jul 15 09:45:31 my-host racoon: alg_oakley_hmacdef_one(hmac_sha1 size=189): 0.000018 Jul 15 09:45:31 my-host racoon: alg_oakley_hmacdef_one(hmac_sha1 size=189): 0.000018 Jul 15 09:45:31 my-host racoon: phase2(quick I msg2): 0.014690 Jul 15 09:45:31 my-host racoon: phase2(quick): 0.046487 Jul 15 10:22:29 my-host racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000025 Jul 15 10:22:29 my-host racoon: alg_oakley_encdef_encrypt(aes klen=128 size=48): 0.000029 > If your IPsec tunnel uses NAT-T, move to ipsec-tools 0.8.0 (but I'm no, i do not use any NAT-T i've upgraded to 0.8.0 and nothing changed on account of my problem ... > If you're not using NAT-T..... you may still have some NAT/filtering > issues on the way, which may also explain why it does almost works > when you're running a ping in background. how can i detect that? > Again, check racoon's debug and what is sent/received on both peers, > which will help us understand what is the real issue. what namely i have to search for in logs, pls what i see looks just as working debug sorry for stupid question, i'm new to racoon :( -- Zeus V. Panchenko JID:ze...@gn... GMT+2 (EET) |
From: Zeus V P. <ze...@ib...> - 2011-07-19 07:56:47
|
some details changing lifetime helped a bit no hangs now, but the channel looks slow much ... remote anonymous { ... lifetime time 6 minutes ; ... } sainfo anonymous { ... lifetime time 3 minutes ; ... } any idea, pls? -- Zeus V. Panchenko JID:ze...@gn... GMT+2 (EET) |