[Ipsec-tools-devel] reconnecting after ISAKMP-SA deleted
Brought to you by:
mit_warlord,
netbsd
From: Karl H. <ka...@hi...> - 2008-06-03 15:16:37
|
Hi, I have LAN1 <--> GW1 <---> GW2 <--> LAN2. Everything works fine when startup racoon on Both GW1 and GW2. If i restart GW2, then GW1 racoon has the messages: 2008-06-03 15:02:56: INFO: isakmp.c:3089:purge_remote(): purging ISAKMP-SA spi=5eb0062f189a248c:0e5fd9f9dc3deb55. 2008-06-03 15:02:56: DEBUG: pfkey.c:300:pfkey_dump_sadb(): call pfkey_send_dump 2008-06-03 15:02:56: INFO: isakmp.c:3214:purge_remote(): purged ISAKMP-SA spi=5eb0062f189a248c:0e5fd9f9dc3deb55. 2008-06-03 15:02:56: DEBUG: isakmp_inf.c:1410:isakmp_info_recv_d(): purged SAs. 2008-06-03 15:02:57: INFO: isakmp.c:1925:isakmp_ph1delete(): ISAKMP-SA deleted 192.168.10.54[500]-192.168.10.232[500] spi:5eb0062f189a248c:0e5fd9f9dc3deb55 pinging from LAN1 to LAN2 will *not* restart the tunnel. pinging from LAN2 to LAN1 will restart the tunnel because GW2 initiates the connection. I restart both GW1 and GW2, everything works fine. If i do racoonctl vpn-connect 192.168.10.232 from GW1 it will also reconnect correctly. Ideally i would like it to reconnect automatically. I have tried ipsec-tools 0.6.6 , 0.6.7 and 0.7 with the same results. How make reconnection happen automatically, some kind of racoon configuration opt I'm missing? My racoon.conf is path pre_shared_key "/etc/racoon/psk.txt"; remote 192.168.10.54 { proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 1; } nat_traversal on; lifetime time 86400 secs; peers_identifier address; exchange_mode main; } sainfo address 192.168.30.0/24 any address 192.168.19.0/24 any { encryption_algorithm 3des; authentication_algorithm hmac_sha1; lifetime time 28800 secs; compression_algorithm deflate; } ---------------- # Security policies spdadd 192.168.19.0/24 192.168.30.0/24 any -P in ipsec esp/tunnel/192.168.10.54-192.168.10.232/require; spdadd 192.168.30.0/24 192.168.19.0/24 any -P out ipsec esp/tunnel/192.168.10.232-192.168.10.54/require; Thanks, karl |