Your message dated Thu, 04 Mar 2010 18:40:55 +0100
with message-id <[email protected]>
and subject line works in a more recent version
has caused the Debian Bug report #279188,
regarding second road warrior connection does not work
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
279188: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=279188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ipsec-tools
Version: 0.3.3-1
I have a simple road warrior setup on the server side:
remote anonymous {
exchange_mode aggressive;
doi ipsec_doi;
situation identity_only;
generate_policy on;
proposal_check obey;
passive on;
my_identifier address;
lifetime time 4 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous {
lifetime time 4 hour;
pfs_group modp768;
encryption_algorithm 3des, des;
authentication_algorithm hmac_md5, hmac_sha1;
compression_algorithm deflate;
}
After I started racoon on the server side, I can ping from
a client to the server. Racoon log:
INFO: respond new phase 1 negotiation: 12.123.139.197[500]<=>212.108.189.8[500]
INFO: begin Aggressive mode.
INFO: ISAKMP-SA established 12.123.139.197[500]-212.108.189.8[500]
spi:39217d326aefb540:a05697e8a3c7e14a
INFO: respond new phase 2 negotiation: 12.123.139.197[0]<=>212.108.189.8[0]
INFO: no policy found, try to generate the policy : 10.10.10.10/32[0]
192.168.178.0/24[0] proto=any dir=in
INFO: IPsec-SA established: ESP/Tunnel 212.108.189.8->12.123.139.197
spi=221472022(0xd336516)
INFO: IPsec-SA established: ESP/Tunnel 12.123.139.197->212.108.189.8
spi=214377111(0xcc72297)
ERROR: such policy does not already exist: 10.10.10.10/32[0]
192.168.178.0/24[0] proto=any dir=in
ERROR: such policy does not already exist: 192.168.178.0/24[0]
10.10.10.10/32[0] proto=any dir=out
The ping works and the needed SPDs and SAs are created. So far so good.
But when the SPDs and SAs are expired and I try to ping again, then
it does not work. See the log:
INFO: respond new phase 1 negotiation: 12.123.139.197[500]<=>212.108.189.8[500]
INFO: begin Aggressive mode.
INFO: ISAKMP-SA established 12.123.139.197[500]-212.108.189.8[500]
spi:fa08db9fd41f3099:4daabd012db25b06
INFO: respond new phase 2 negotiation: 12.123.139.197[0]<=>212.108.189.8[0]
INFO: IPsec-SA established: ESP/Tunnel 212.108.189.8->12.123.139.197
spi=76286402(0x48c09c2)
INFO: IPsec-SA established: ESP/Tunnel 12.123.139.197->212.108.189.8
spi=59087979(0x3859c6b)
you see that the policies are not generated this time. Not good.
regards
claas
--- End Message ---
--- Begin Message ---
i close this bug as the rekeying works fine. I set the key lifetime
to 300seconds, ping goes on after that time and racoon log spawns
infos about a new established association.
thanks
--
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------
--- End Message ---
