From: Mark B. <mba...@ne...> - 2007-07-17 20:55:24
|
I have a single host running centos 4 connecting through racoon tunnel to a checkpoint firewall. =20 Several times a day the SA expires and does not re-key. =20 =20 ERROR: unknown Informational exchange received. =20 I have to kill the racoon process and restart it to get the tunnel to re-initialize. =20 Any ideas what is happening? Here are my configs. If you need more detailed logs let me know, I'm running debug2 =20 =20 =20 cat /etc/racoon/setkey.conf #!/sbin/setkey -f # flush; spdflush; =20 #local host A.A.A.A #remote firewall B.B.B.B #remote destination C.C.C.C =20 spdadd A.A.A.A/32 C.C.C.C/32 any -P out ipsec esp/tunnel/A.A.A.A-B.B.B.B/require; spdadd C.C.C.C/32 A.A.A.A/32 any -P in ipsec esp/tunnel/B.B.B.B-A.A.A.A/require; =20 =20 this sets up a tunnel policy between the local host and the remote firewall for the single destination C.C.C.C=20 =20 rc.local then calls /usr/sbin/racoon =20 [root@credexhost mon]# cat /etc/racoon/racoon.conf =20 # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. =20 log debug2; path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; =20 sainfo anonymous { pfs_group 2; lifetime time 24 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } =20 remote anonymous { exchange_mode main; generate_policy on; lifetime time 1 hour; # sec,min,hour proposal_check claim; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 2 ; } } =20 =20 =20 =20 =20 |
From: Marcin M. <M.M...@ne...> - 2007-07-18 07:06:20
|
Mark Bassett (mba...@ne...) napisał(a): > I have a single host running centos 4 connecting through racoon tunnel > to a checkpoint firewall. > > No solution here, but I've got thae same problem since ever. Star topology, about 30 doubled IPSec tunnels that die. I changed central point from Linux box to Cisco, it didn't help. Upgraded kernel, I'm also upgrading racoon and ipsec-tools in hope it will help finally but it doesn't help at all:( br > > Several times a day the SA expires and does not re-key. > > > > ERROR: unknown Informational exchange received. > > > > I have to kill the racoon process and restart it to get the tunnel to > re-initialize. > > Any ideas what is happening? Here are my configs. If you need more > detailed logs let me know, I'm running debug2 > > > > > > > > cat /etc/racoon/setkey.conf > > #!/sbin/setkey -f > > # > > flush; > > spdflush; > > > > #local host A.A.A.A > > #remote firewall B.B.B.B > > #remote destination C.C.C.C > > > > spdadd A.A.A.A/32 C.C.C.C/32 any -P out ipsec > > esp/tunnel/A.A.A.A-B.B.B.B/require; > > spdadd C.C.C.C/32 A.A.A.A/32 any -P in ipsec > > esp/tunnel/B.B.B.B-A.A.A.A/require; > > > > > > this sets up a tunnel policy between the local host and the remote > firewall for the single destination C.C.C.C > > > > rc.local then calls /usr/sbin/racoon > > > > [root@credexhost mon]# cat /etc/racoon/racoon.conf > > > > # Racoon IKE daemon configuration file. > > # See 'man racoon.conf' for a description of the format and entries. > > > > log debug2; > > path include "/etc/racoon"; > > path pre_shared_key "/etc/racoon/psk.txt"; > > path certificate "/etc/racoon/certs"; > > > > sainfo anonymous > > { > > pfs_group 2; > > lifetime time 24 hour ; > > encryption_algorithm 3des ; > > authentication_algorithm hmac_md5 ; > > compression_algorithm deflate ; > > } > > > > remote anonymous > > { > > exchange_mode main; > > generate_policy on; > > lifetime time 1 hour; # sec,min,hour > > proposal_check claim; # obey, strict or claim > > proposal { > > encryption_algorithm 3des; > > hash_algorithm md5; > > authentication_method pre_shared_key; > > dh_group 2 ; > > } > > } > > > > > > > > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Ipsec-tools-users mailing list > Ips...@li... > https://lists.sourceforge.net/lists/listinfo/ipsec-tools-users -- Marcin Mazurek http://www.netsync.pl/ - :::: - nic-hdl: MM3380-RIPE GnuPG 6687 E661 98B0 AEE6 DA8B 7F48 AEE4 776F 5688 DC89 |
From: VANHULLEBUS Y. <va...@fr...> - 2007-07-18 07:30:36
|
Hi. On Tue, Jul 17, 2007 at 12:57:39PM -0700, Mark Bassett wrote: > I have a single host running centos 4 connecting through racoon tunnel > to a checkpoint firewall. > > Several times a day the SA expires and does not re-key. > > ERROR: unknown Informational exchange received. It means your peers tries to negociate a phase protecting it with an unknown IsakmpSA. Most of the time, this is a phase 1 lifetime issue: the IsakmpSA expired on one side but not on the other. Yvan. |