Re: [Ipsec-tools-devel] racoon / ipsec problem
Brought to you by:
mit_warlord,
netbsd
From: Elvar <el...@el...> - 2005-11-10 15:26:23
|
What am I looking for with regards to net.key.prefered_oldsa? One thing I can say is that the x509 certs are not expired so it's definitely not that. Thanks for your help, Elvar VANHULLEBUS Yvan wrote: >On Tue, Nov 08, 2005 at 05:07:25PM -0600, Elvar wrote: > > >>Hello, >> >>I have 10 locations all interconnected by IPSEC tunnels. All of the >>boxes are different versions of FreeBSD, racoon, and openssl. The newest >>edition to this network (#10) can establish tunnels to each of the other >>locations but after the initial tunnel drops it cannot be >>re-established. I should mention I'm using x509 certs instead of a >>pre-shared key. I'm by no means an ipsec guru, but I have not had any >>problems until now. On this #10 box, I've tried using the older racoon >>before it was transfered to the ipsec-tools development and also the new >>ipsec-tools distribution. I'm having a very hard time figuring out why >>the tunnel works for awhile but then after not too long I can no longer >>ping across the tunnel or any other type of communication. Can anyone >>help me figure out what is happening? >> >> > >Do you have some "black holes" when the first SA expires, or do you >have renegociations errors ? Or were you just able to negociate once ? > >In the first case, check net.key.prefered_oldsa (or >net.key.preferred_oldsa, regarding your FreeBSD's version) on all your >boxes... > >In the second case, we'll need more details, your configuration, some >racoon's logs, etc... > >In the third case, check your certificate's validity !! > > >Yvan. > > > >------------------------------------------------------- >SF.Net email is sponsored by: >Tame your development challenges with Apache's Geronimo App Server. Download >it for free - -and be entered to win a 42" plasma tv or your very own >Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php >_______________________________________________ >Ipsec-tools-devel mailing list >Ips...@li... >https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel > > |