[Ipsec-tools-users] error with Multiple SAs (and a Cisco router)
Brought to you by:
mit_warlord,
netbsd
From: Eduard G. <edu...@gm...> - 2006-12-10 03:12:30
|
Hi all, I have read previous threads on this issue, but it didn't help. When racoon initiates, the tunnel is successfully established and everything works OK, but when soft time expires, racoon establishes a new SA, keeping the old one active (during the rest of hard time). The other end (a Cisco router) uses the new SA, so its packets are successfully received, but the Linux router sends frames with the old SA, and they are ignored at the Cisco router (as I suspect; I don't have admin access to the Cisco router). Cisco sends frames with the new spi, and at the same time, sends: 4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 2/others ? inf[E] in response to the frames the linux sends with the old spi. When hard time expires it works again; i.e. it fails between soft and hard times. Is there something wrong in my configuration? racoon.conf ------------------------------ listen { isakmp 1.2.3.4 [500]; isakmp_natt 1.2.3.4 [4500]; } remote 4.3.2.1 { exchange_mode main; peers_identifier address; my_identifier address; nat_traversal on; passive off; proposal { encryption_algorithm des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; lifetime time 10000 sec; } } sainfo address 1.2.3.4/32[any] any address 4.3.2.1/32[any] any { lifetime time 3600 sec; encryption_algorithm des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ipsec-tools.conf-------------- spdadd 1.2.3.4 4.3.2.1 any -P out ipsec esp/transport//unique; spdadd 4.3.2.1 1.2.3.4 any -P in ipsec esp/transport//unique; another question: Should I set explicitly a fwd policy for packets forwarded to the tunnel? (I realized that fwd policies for packets FROM the tunnel are automatically generated) |