Ipsec problems
in [Debian]
|
Prev: Restarting network
Next: Sugestões para as suas férias
From: Pier on 6 Jul 2010 08:10 Hi. I'm having some problems with ipsec. The connections are running, but when the line goes down the vpn is not coming back again. If i see the logs, i see these errors: 2010-07-06 13:23:22: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted. If i force a restart of the setkey and racoon services, then the vpns are coming back. This is the conf: remote AAA.AAA.AAA.AAA { exchange_mode main; verify_cert on; my_identifier address; lifetime time 96 hour ; dpd_delay 0; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo address 192.168.1.0/24 any address 10.75.0.0/16 any { pfs_group 2; lifetime time 8 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } sainfo address AAA.AAA.AAA.AAA/32 any address 10.75.0.0/16 any { pfs_group 2; lifetime time 8 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } sainfo address BBB.BBB.BBB.BBB/32 any address AAA.AAA.AAA.AAA/32 any { pfs_group 2; lifetime time 8 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } sainfo address 192.168.1.0/24 any address AAA.AAA.AAA.AAA/32 any { pfs_group 2; lifetime time 8 hour ; encryption_algorithm 3des ; authentication_algorithm hmac_md5 ; compression_algorithm deflate ; } 10.75.0.0/16 is the remote network. 192.168.1.0/24 is our net. AAA.AAA.AAA.AAA is their remote public IP. BBB.BBB.BBB.BBB is our public IP Thanks -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/792006.31695.qm(a)web28616.mail.ukl.yahoo.com
From: Noah Meyerhans on 6 Jul 2010 17:50 On Tue, Jul 06, 2010 at 04:47:37AM -0700, Pier wrote: > I'm having some problems with ipsec. > The connections are running, but when the line goes down the vpn is not coming back again. > If i see the logs, i see these errors: > > 2010-07-06 13:23:22: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted. Configuring racoon is something of a black art, it seems. I've been using it for several years and still try to avoid touching it at all costs. I suspect in this case that you don't actually need to restart racoon, but instead just need to delete the SAs. You could do this with the "delete" or "deleteall" command in setkey, or you could do it by using a shorter timeout in your racoon config. > lifetime time 96 hour ; I use 30 minutes here. So this way, if the connection is severed, the longest I need to wait for it to come back in 30 minutes. Conceivably you could so something a little more pro-active, where you delete your existing SAs when you detect that there's some kind of connectivity problem with the other end. If there's a mailing list for racoon, it might be worth asking your question there. I'd be curious to know if there's a preferred solution than the one I've been using. noah
|
Pages: 1 Prev: Restarting network Next: Sugestões para as suas férias |