Hi all,
When racoon initiates, the tunnel is successfully established and
everything works OK, but when soft time expires, racoon establishes a
new SA, keeping the old one active (state:dying during the rest of hard
time). The
other end (a Cisco router) uses the new SA, so its packets are
successfully received, but the Linux router sends frames with the old
SA, and they are ignored at the Cisco router (as I suspect; I don't
have admin access to the Cisco router).
Cisco sends frames with the new spi, and at the same time, sends:
4.3.2.1.500 > 1.2.3.4.500: isakmp: phase 2/others ? inf[E]
in response to the frames the linux sends with the old spi. Afterwards
(and before hard
time expires) the router starts sending frames with the new SA and it
works again.
Is there something wrong in my configuration? (I use ipsec-tools 0.6.6)
racoon.conf ------------------------------
listen {
isakmp 1.2.3.4 [500];
isakmp_natt 1.2.3.4 [4500];
}
remote 4.3.2.1 {
exchange_mode main;
peers_identifier address;
my_identifier address;
nat_traversal on;
passive off;
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 1;
lifetime time 10000 sec;
}
}
sainfo address 1.2.3.4/32[any] any address 4.3.2.1/32[any] any {
lifetime time 3600 sec;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
ipsec-tools.conf--------------
spdadd 1.2.3.4 4.3.2.1 any -P out ipsec esp/transport//unique;
spdadd 4.3.2.1 1.2.3.4 any -P in ipsec esp/transport//unique;
another question: Should I set explicitly a fwd policy for packets
forwarded to the tunnel? (I realized that fwd policies for packets
FROM the tunnel are automatically generated)
|
Similar Threads
Linear Mode
