From: Paul M. <pau...@ce...> - 2009-03-04 02:02:22
|
there is a generate_policy keyword in the config file syntax - I have never used it though there is a bug in this area that is being worked on. If the SPD rules are expressed as subnets with ports then inbound requests do not correctly match the SPDs. Is that what you are doing? -----Original Message----- From: Harsha [mailto:ine...@gm...] Sent: Tuesday, March 03, 2009 5:53 PM To: Ips...@li... Subject: Re: [Ipsec-tools-devel] Not all tunnels come up on a gateway aftera reboot Hi all, I'm new to IPSec protocol and the codebase, I so request you to kindly bare with my basic questions. If you think I'm not doing my homework somewhere, please do point out and I will do it. But please do guide me. To the below problem I figured that the cases where tunnels did not come up was when the box was acting as the responder. Further I see that it is failing in Quick Mode ( quick_r1recv() ) after Main Mode is successfully completed. The check for gen_policy in get_proposal_r() is what is failing- if (iph2->ph1->rmconf->gen_policy).. What I'm unable to understand is who sets gen_policy() and how. It looks like it is coming from parsing the configs in yyparse(), right? What if I set it to TRUE by default? Thanks in advance, Harsha On Thu, Feb 26, 2009 at 11:57 AM, Harsha <ine...@gm...> wrote: > Hi all, > > I have a gateway hosting about 50-60 IPSec tunnels. When I reboot the > box, all the tunnels don't come up. For the tunnels that don't come > up, I see that they are stuck in phase 2 with the following log- > > 2008-11-23 23:36:38 I29 respond new phase 2 negotiation: > 10.55.66.10[0]<=>10.60.20.252[0] > 2008-11-23 23:36:38 E29 no policy found: 10.60.20.252/32[0] > 10.55.66.10/32[0] proto=any dir=in > 2008-11-23 23:36:38 E29 failed to get proposal for responder > 2008-11-23 23:36:38 E29 failed to pre-process packet. > > Googling told that in cases where people had seen this log, it had to > do with key settings. But in my case I know my settings are fine > because before the reboot the tunnels are up fine and if I manually > restart IPSec on the boxes again, they come up fine. > > Can running 50-60 endpoints be causing a problem? I also saw this > draft (which is kinda old)- > http://tools.ietf.org/html/draft-vidya-ipsec-failover-ps-00 > > I looked up the version of code being used and it is badly outdated. > For example isakmp_quick.c is version 1.93 and it is dated May 7th > 2002 here- > http://orange.kame.net/dev/cvsweb.cgi/kame/kame/kame/racoon/Attic/isakmp_quick.c > > Unfortunately moving to the latest code completely is not a option. I > can however apply a patch that may help solve this specific problem. > It will be great if anyone knows of any code change that may help this > condition. Any other pointers and suggestions are greatly welcome. > > Many thanks, > Harsha > ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ Ipsec-tools-devel mailing list Ips...@li... https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel |