owen at barkie
Sep 18, 2009, 8:45 AM
Post #1 of 1
I'm trying to connect to a Cisco ASA running v8.2(1) firmware and am
vpnc with Cisco ASA v8.2(1) rekey problems
hitting a problem with the SA rekey. The problem is the same with
both 0.5.3 and SVN 446.
Basically what I'm seeing is that when it comes time to rekey it goes
into a loop, rekeying over and over again. Looking at the debug
logs I see that vpnc thinks the rekey is successful, the ASA also
thinks it's successful, but then vpnc receives a late IKE which seems
to contain a SA delete request. process_late_ike() sees this and
calls do_phase2_qm() and then that's where it loops. If I comment out
the call to do_phase2_qm() (line 3099 in SVN) it rekeys fine and I'm
able to hold a reliable connection.
Does this make any sense? Is the ASA telling vpnc to delete the
previous SA, instead of the current one it just established, and vpnc
is taking the wrong action? I know very little about ISAKMP other
than what I've learned from reading the RFC for a few minutes so I
don't the proper fix should be. I'd be happy to provide debug logs or
run further tests if it would help.
vpnc-devel mailing list
vpnc-devel [at] unix-ag