From: Sonia <xo...@ya...> - 2011-01-14 11:52:56
|
Hello, I have a tunnel connection between a Linux Box with racoon and a Cisco (I don't have information about the model, but the configuration of ipsec tunnel). The tunnel is established and is transmitting traffic but it's getting down and up every hour, with the following log messages: 2011/01/13,16:15:38 (none) daemon.info racoon: INFO: respond new phase 2 negotiation: 2011/01/13,16:15:38 (none) daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel spi=175154552(0xa70a578) 2011/01/13,16:15:38 (none) daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel spi=2484070239(0x940fe75f) 2011/01/13,16:18:06 (none) daemon.info racoon: INFO: purging ISAKMP-SA spi=7e3356158e7cd07b:7ed95e25e32366cd. 2011/01/13,16:18:06 (none) daemon.info racoon: INFO: purged IPsec-SA spi=2484070239. 2011/01/13,16:18:06 (none) daemon.info racoon: INFO: purged IPsec-SA spi=731918175. 2011/01/13,16:18:06 (none) daemon.info racoon: INFO: purged IPsec-SA spi=175154552. 2011/01/13,16:18:06 (none) daemon.info racoon: INFO: purged IPsec-SA spi=77021700. 2011/01/13,16:18:06 (none) daemon.info racoon: INFO: purged ISAKMP-SA spi=7e3356158e7cd07b:7ed95e25e32366cd. 2011/01/13,16:18:07 (none) daemon.info racoon: INFO: ISAKMP-SA deleted spi:7e3356158e7cd07b:7ed95e25e32366cd 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: IPsec-SA request for queued due to no phase1 found. 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: initiate new phase 1 negotiation: 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: begin Identity Protection mode. 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: received Vendor ID: CISCO-UNITY 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: received Vendor ID: DPD 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt 2011/01/13,16:21:38 (none) daemon.info racoon: INFO: ISAKMP-SA established spi:83b9bf4c227bb762:7ed95e2548212076 2011/01/13,16:21:39 (none) daemon.info racoon: INFO: initiate new phase 2 negotiation: 10.248.5.121[500]<=>10.90.1.105[500] 2011/01/13,16:21:40 (none) daemon.info racoon: WARNING: ignore RESPONDER-LIFETIME notification. 2011/01/13,16:21:40 (none) daemon.info racoon: WARNING: attribute has been modified. 2011/01/13,16:21:40 (none) daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel] spi=132329873(0x7e33191) 2011/01/13,16:21:40 (none) daemon.info racoon: INFO: IPsec-SA established: ESP/Tunnel spi=1751341543(0x686359e7) An hour is the lifetime configured in racoon.conf file for ISAKMP and SA associations, as it is in the Cisco. But it seems that the Cisco is receiving another value because I've read that the notification is due to a longer lifetime received. My racoon.conf file is as follows: # cat /var/run/racoon.conf path pre_shared_key "/var/run/psk.txt" ; remote X.X.X.X { exchange_mode main ; script "/etc/scripts/isakmp_ph1.sh" phase1_up ; script "/etc/scripts/isakmp_ph1.sh" phase1_down ; nat_traversal off ; dpd_delay 0 ; dpd_retry 5 ; dpd_maxfail 3 ; dpd_invcookie on ; passive off ; proposal { encryption_algorithm des ; hash_algorithm md5 ; authentication_method pre_shared_key ; dh_group modp768 ; lifetime time 3600 seconds ; } } sainfo address 192.168.0.0/24 any address 192.168.1.0/24 any { lifetime time 3600 seconds ; encryption_algorithm des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } And my question is if I have to configure the lifetime not only in the proposal but also in the remote configuration, below passive off, for example. Thank you very much in advanced! Best regards, Sonia |
From: VANHULLEBUS Y. <va...@fr...> - 2011-01-18 15:19:57
|
On Fri, Jan 14, 2011 at 11:52:47AM +0000, Sonia wrote: > Hello, Hi. > I have a tunnel connection between a Linux Box with racoon and a > Cisco (I don't have information about the model, but the > configuration of ipsec tunnel). [....] > And my question is if I have to configure the lifetime not only in > the proposal but also in the remote configuration, below passive > off, for example. You have to configure both a phase1 lifetime AND a phase2 lifetime, which will probably be different (usually, phase1 lifetime is much bigger than phase2 lifetime). Check plase1 lifetime on cisco's configuration, and set the same value. Yvan. |