From: Pier on
Hi.
I'm having some problems with ipsec.
The connections are running, but when the line goes down the vpn is not coming back again.
If i see the logs, i see these errors:

2010-07-06 13:23:22: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted.


If i force a restart of the setkey and racoon services, then the vpns are coming back.
This is the conf:

remote AAA.AAA.AAA.AAA
{
exchange_mode main;
verify_cert on;
my_identifier address;
lifetime time 96 hour ;
dpd_delay 0;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}

}

sainfo address 192.168.1.0/24 any address 10.75.0.0/16 any
{
pfs_group 2;
lifetime time 8 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}

sainfo address AAA.AAA.AAA.AAA/32 any address 10.75.0.0/16 any
{
pfs_group 2;
lifetime time 8 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}

sainfo address BBB.BBB.BBB.BBB/32 any address AAA.AAA.AAA.AAA/32 any
{
pfs_group 2;
lifetime time 8 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}

sainfo address 192.168.1.0/24 any address AAA.AAA.AAA.AAA/32 any
{
pfs_group 2;
lifetime time 8 hour ;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}


10.75.0.0/16 is the remote network.
192.168.1.0/24 is our net.
AAA.AAA.AAA.AAA is their remote public IP.
BBB.BBB.BBB.BBB is our public IP

Thanks





--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/792006.31695.qm(a)web28616.mail.ukl.yahoo.com
From: Noah Meyerhans on
On Tue, Jul 06, 2010 at 04:47:37AM -0700, Pier wrote:
> I'm having some problems with ipsec.
> The connections are running, but when the line goes down the vpn is not coming back again.
> If i see the logs, i see these errors:
>
> 2010-07-06 13:23:22: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted.

Configuring racoon is something of a black art, it seems. I've been
using it for several years and still try to avoid touching it at all
costs.

I suspect in this case that you don't actually need to restart racoon,
but instead just need to delete the SAs. You could do this with the
"delete" or "deleteall" command in setkey, or you could do it by using a
shorter timeout in your racoon config.

> lifetime time 96 hour ;

I use 30 minutes here. So this way, if the connection is severed, the
longest I need to wait for it to come back in 30 minutes.

Conceivably you could so something a little more pro-active, where you
delete your existing SAs when you detect that there's some kind of
connectivity problem with the other end.

If there's a mailing list for racoon, it might be worth asking your
question there. I'd be curious to know if there's a preferred solution
than the one I've been using.

noah