We are implementing resctrictions on the traffic that should bring up and go through the
tunnels between two locations (For information the traffic is radius traffic).
We do it by using policy filtering and not firewall (which is use anyway), it is a strong
requirement as one of the partner's location is running a Cisco Pix that is configured
with restricted policies that don't match if we setup permissive policies on our side.
The filtering is correctly configured and is working pretty fine except one very annoying
We noticed that after a certain amount of inactivity time, after ISKMP SA lifetime
expiration, we loose part of the communications between the two radius servers.
What is weird is that it is not always the same traffic that is impacted.
For example with ServerB at partner location and ServerA at our location, one time it
will be the connection from ServerB to Server A on port 1812, another time it will be
from ServerB on port 1645 to ServerA on port 1814 and another time it will be ping...
After running some troubleshooting with tcpdump and racoon's log (level debug2) we found
that policies always match the traffic and the SA are correctly established so it doesnt
seems to be a configuration issue.
The most important thing we noticed is that packets are going through the tunnels
correctly, we can see with tcpdump the packet after beeing decrypted by the kernel, but
packets are not passed to the application set layers (dont know at which layer there is
I repeat that it only occurs for one flow, at the same time the other flows are working
just fine and nothing seems wrong in the logs.
If we flush the SAs & SPs, put back the SP or if we restart racoon or everything at the
same time it doesn't solve the issue.
The issue solves by itself after a long amount of time... :crazy
To solve the issue we found a "trick" which consists on setting the kernel sysctl flag
"net.ipv4.conf.eth0.disable_policy" to 1 instead of 0 (Default).
With net.ipv4.conf.eth0.disable_policy=1, we do not have the issue anymore.
What is embarassing me is that there is no documentation on this option except the
description in the kernel source :
disable_policy - BOOLEAN
Disable IPSEC policy (SPD) for this interface
+ Default: 0
It seems that it doesn't totally disable the policy as if we dont specify policy then the
tunnels dont work....
So I wonder if anyone knows exactly how the sysctl option
"net.ipv4.conf.eth0.disable_policy" interact with the kernel or ipsec-tools.
And of course if anyone have any idea why we have this issue, is it a kernel bug? an
ipsec-tool bug? any idea or experience will be welcome.
We are running a Debian Sarge server in the Stable branch :
- Kernel 2.6.8-3-686 (We have the same issue with Kernel 2.6.15-1-686)
- Ipsec-tools 0.5.2-1sarge1
If you need more details or if I was not clear enough, do not hesitate to ask.
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Demandez à ceux qui savent sur Yahoo! Questions/Réponses