Re: [Ipsec-tools-devel] Not all tunnels come up on a gateway after a reboot

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi all,

I'm new to IPSec protocol and the codebase, I so request you to kindly
bare with my basic questions. If you think I'm not doing my homework
somewhere, please do point out and I will do it. But please do guide
me.

To the below problem I figured that the cases where tunnels did not
come up was when the box was acting as the responder. Further I see
that it is failing in Quick Mode ( quick_r1recv() ) after Main Mode is
successfully completed. The check for gen_policy in get_proposal_r()
is what is failing-
if (iph2->ph1->rmconf->gen_policy)..

What I'm unable to understand is who sets gen_policy() and how. It
looks like it is coming from parsing the configs in yyparse(), right?
What if I set it to TRUE by default?

Thanks in advance,
Harsha

On Thu, Feb 26, 2009 at 11:57 AM, Harsha <ine...@gm...> wrote:
> Hi all,
>
> I have a gateway hosting about 50-60  IPSec tunnels. When I reboot the
> box, all the tunnels don't come up. For the tunnels that don't come
> up, I see that they are stuck in phase 2 with the following log-
>
> 2008-11-23 23:36:38 I29 respond new phase 2 negotiation:
> 10.55.66.10[0]<=>10.60.20.252[0]
> 2008-11-23 23:36:38 E29 no policy found: 10.60.20.252/32[0]
> 10.55.66.10/32[0] proto=any dir=in
> 2008-11-23 23:36:38 E29 failed to get proposal for responder
> 2008-11-23 23:36:38 E29 failed to pre-process packet.
>
> Googling told that in cases where people had seen this log, it had to
> do with key settings. But in my case I know my settings are fine
> because before the reboot the tunnels are up fine and if I manually
> restart IPSec on the boxes again, they come up fine.
>
> Can running 50-60 endpoints be causing a problem? I also saw this
> draft (which is kinda old)-
> http://tools.ietf.org/html/draft-vidya-ipsec-failover-ps-00
>
> I looked up the version of code being used and it is badly outdated.
> For example isakmp_quick.c is version 1.93 and it is dated May 7th
> 2002 here-
> http://orange.kame.net/dev/cvsweb.cgi/kame/kame/kame/racoon/Attic/isakmp_quick.c
>
> Unfortunately moving to the latest code completely is not a option. I
> can however apply a patch that may help solve this specific problem.
> It will be great if anyone knows of any code change that may help this
> condition. Any other pointers and suggestions are greatly welcome.
>
> Many thanks,
> Harsha
>