From: Matthew Schumacher <matt.s@ap...> - 2007-01-11 21:11:32
I am having the strangest problem with my tunnel. The tunnel will go
down (can't ping though it) but I still have an SA because DPD gets
Here is a dumb little script I wrote to test the problem:
while [ 1 ]; do
ping -c 3 HOSTB
If I wait a while then I'll catch the tunnel in a mode where the ping
doesn't go though, but the setkey -D I called right before hand will
show a SA. At first I thought it was a dead SA, but then I see a DPD
packet get though after this happens:
Thu Jan 11 11:56:12 AKST 2007
esp mode=transport spi=255144619(0x0f3532ab) reqid=16407(0x00004017)
E: 3des-cbc 81464ef3 3554b190 d145df3b 98c26f8c 0681f4b8 8f28f48d
A: hmac-md5 f30ef723 06c5897f b17a5970 d33ccf53
esp mode=transport spi=123357596(0x075a499c) reqid=16406(0x00004016)
E: 3des-cbc c02669ff 3024c2e4 01ed2dd3 39009fbc faaf50d2 40fece32
A: hmac-md5 f52ee103 2fc42096 7226f9a7 5ca5d75a
PING HOSTB (x.x.x.x) 56(84) bytes of data.
Racoon in debug mode shows DPD went though after the tunnel failes:
2007-01-11 11:56:35: DEBUG: sendto Information notify.
2007-01-11 11:56:35: DEBUG: received a valid R-U-THERE, ACK sent
Later, I can ping again using the same exact SA.
So the question is: Why does my tunnel go up and down when the SA is
still active and DPD is working? I'm guessing its a kernel issue since
racoon seems to be working fine. Also, I log packets I drop with
IPTABLES and can't find any problems with the firewall.