tilman.schroeder at tu-dortmund
Oct 25, 2009, 5:15 AM
Post #4 of 4
(178 views)
Permalink
|
Clark Hartness schrieb:
> -----Original Message-----
> From: vpnc-devel-bounces[at]unix-ag.uni-kl.de [mailto:vpnc-devel-bounces[at]unix-ag.uni-kl.de] On Behalf Of Dan Williams
> Sent: Wednesday, October 21, 2009 12:02 PM
> To: vpnc list to send bug reports and discussions with developers
> Subject: Re: [vpnc-devel] VPNC 0.5.3 Phase II ReKeying
>
> On Tue, 2009-10-20 at 09:28 -0500, Clark Hartness wrote:
>> Greetings,
>>
>> Up front I am sorry for posting to the -devel group for this question
>> but I find no user or admin group to post to....
>>
>> I downloaded and did a very straight forward:
>>
>> make
>> make install
>>
>> with VPNC 0.5.3
>>
>> From what I can find on the groups I seem to be having issues Phase
>> II ReKeying
>>
>> Grep From /var/log/messages
>>
>> Oct 20 07:29:01 cymsfw vpnc[2321]: unknown spi 0xaa8f5c79 from peer
>> Oct 20 07:29:01 cymsfw vpnc[2321]: unknown spi 0xaa8f5c79 from peer
>>
>> Very Simple Conf File in place:
>>
>> [root[at]cymsfw vpnc]# cat default.conf
>> # SJC
>> IPSec gateway <removed>
>> IPSec ID <removed>
>> IPSec obfuscated secret <removed>
>> # your username goes here:
>> Xauth username <removed>
>> Xauth password <removed>
>> # if you want to test rekeying specify nonzero seconds here:
>> #Rekeying interval 7200
>>
>>
>> If I uncomment the Rekeying interval 7200 in the conf file I get the error:
>>
>> vpnc: warning: unknown configuration directive in
>> /etc/vpnc/default.conf at line 9
>>
>> I have a monitor script in place that reconnects the VPN on failure
>> but I have some processes that are sensitive to the reconnect.
>>
>> Could someone point me to some documentation on how to configure the
>> Phase II Rekeying to avoid this?
>
> IIRC vpnc only supports the first rekeying interval, but does not support the second one which is usually 24 hours. I don't know if that second one is the 'phase II' or not.
>
> 'Rekeying interval' isn't needed because I believe vpnc is smart enough to figure that out automatically these days for the first (ISAKMP?) rekey. It used to be required in 0.3 or 0.4 right after the rekeying patch landed, but no longer is. As such, the option is not recognized in vpnc 0.5.x.
>
> Dan
>
>
> Thanks Dan
>
> I have kinda figured that out as I have gone through this more and more I noticed a TODO to make Phase II Rekeying Work in the Man Page and Notes.
>
> The server I am connecting to seems to be set on an 8 Hour Rekeying and every 8 hours the connection dies with an entry in the Syslog like:
>
> Oct 20 07:29:01 cymsfw vpnc[2321]: unknown spi 0xaa8f5c79 from peer
>
> This is a site to site connection and I have a script in place that tests if the connection is up and if not restarts it so about every 8 hours it hiccups like this....
>
> Clark
Heyho,
is this the same error that Owen addressed already?
This is what Owen wrote on 28th of September ...
===
I'm trying to connect to a Cisco ASA running v8.2(1) firmware and am
hitting a problem with the SA rekey. The problem is the same with
both 0.5.3 and SVN 446.
Basically what I'm seeing is that when it comes time to rekey it goes
into a loop, rekeying over and over again. Looking at the debug
logs I see that vpnc thinks the rekey is successful, the ASA also
thinks it's successful, but then vpnc receives a late IKE which seems
to contain a SA delete request. process_late_ike() sees this and
calls do_phase2_qm() and then that's where it loops. If I comment out
the call to do_phase2_qm() (line 3099 in SVN) it rekeys fine and I'm
able to hold a reliable connection.
Does this make any sense? Is the ASA telling vpnc to delete the
previous SA, instead of the current one it just established, and vpnc
is taking the wrong action? I know very little about ISAKMP other
than what I've learned from reading the RFC for a few minutes so I
don't the proper fix should be. I'd be happy to provide debug logs or
run further tests if it would help.
Thanks,
Owen
===
Bye,
Tilman
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
|
