I have an ipsec tunnel going from my debian gateway to a sonicwall firewall with a static IP address.

Tunnel get's established without problems initially, but after some time I'm unable to send packets to the tunnel. Even though the tunnel is established pings don't go through.

racoonctl shows me the following , seems to indicate that there are duplicate SAs created.


root@ubuntu:~$ sudo racoonctl ss isakmp
Destination            Cookies                           Created      7bbb54cb9d35712c:ba13bf18daf0befb 2009-10-22 18:36:59       5a8822053b69c999:76c982679e4c454b 2009-10-22 18:36:04      05615456125e9a98:9441d995120f33b5 2009-10-22 18:06:04      dfaa5e414c6a84a6:710aad570ff3e4bb 2009-10-22 18:06:11       5bbbaefd910f79c3:80babab33396ad8f 2009-10-22 18:05:59

There are duplicate isakmp and corresponding duplicate esp and Ipsec entries.

Also, a racoon/setkey restart clears the entries and starts new SA negotiations. The logs show that the SA has been established but no packets go through.

My racoon.conf and ipsec-tools.conf

racoon.conf :

remote {
       exchange_mode main;
       nat_traversal off;
       initial_contact on;
       my_identifier fqdn "network1.test";
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;

sainfo subnet[any] any subnet[any] any {
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;

ipsec-tools.conf :


spdadd any -P out ipsec
spdadd any -P in ipsec

I've read that using "initial_contact on" in the tunnel could help. However, using that parameter in racoon.conf and restarting hasn't solved the problem and the man page says it's on by default anyway.

Maybe some Sonicwall-Racoon interoperability issue?

Thanks and Happy new year!

-- Raghu