Massimo Lusetti wrote:
On Mon, 2006-07-03 at 00:51 -0700, Clint Pachl wrote:
Are both end points trying to negotiate? Try using the "passive" keyword
on one endpoint: "ike passive esp ..."
Yes both active. Does that should cause problems?
Here is what I have noticed while watching tcpdump: each end point will
negotiate with the other end point at some time interval, which seems to
be somewhat random. I have started both end points in active mode and
because of the randomness and different times each isakmpd was started
on each end point, one isakmpd is able to make the negotiation before
the other one and every thing works fine. However, (and I may be totally
wrong here) at some agreed upon time in the future, new keys will be
exchanged. This is where you may be running into problems, when both
boxes are trying to initiate the exchange, creating an unknown state.
I have experienced the same issue. I don't know the details of what
exactly is happening, however, it seems to be a synchronization problem.
Here's what I have done to get rid of the "unspec transport" and setup
the proper flows and SAs:
Execute on the "passive" box first, then the other:
# ipsecctl -F
# echo R > /var/run/isakmpd.fifo
# ipsecctl -f /etc/ipsec.conf
I know how to put it up again and i actually use -d just to keep up
others tunnel.
Very good, forgot to mention that.
Anyway you're telling me that every time your tunnel fall you are there
to cast that command to bring it up again? That's not suitable... :
Agreed, that is not suitable and I don't do that. I guess I
misunderstood the point at which your failure was occurring. I believed
it to be initially or some short time after you started each end point.
In my experience, I am using IPSec to secure wireless clients to an AP.
In my first configuration, all clients and the AP were ike negotiators,
"active," and I was experiencing unspec transport. I changed the
ipsec.conf on the AP only to be a passive ike and ran the set of
commands I mentioned earlier and everything worked.
I guess I assumed you changed your ipsec.conf, making one end point
passive, hence the set of commands to put every thing in sync. Sorry I
misunderstood.
What i really want to know (investigate) is what is causing this drops
since they happen just on one line not in the other and the devices are
all the same just as the OpenBSD version.
Is the traffic the same on each line? I have had much success with ssh,
http, ftp, and ICMP traffic through my IPSec tunnel, however, X11 seems
to be unreliable.
-pachl
