ipsec-tools-current, -4 and Cisco VPN

To: netbsd-users%NetBSD.org@localhost
Subject: ipsec-tools-current, -4 and Cisco VPN
From: Jason Lingohr <jason%lucid.net.au@localhost>
Date: Fri, 06 Jun 2008 14:41:00 +1000


Is anyone here using -4 and ipsec-tools-current?

I'm having a few problems with it -- notably, SPI's don't get deletedwhen a VPN is torn down, and re-keying doesn't seem to work anymore.

I'm using a Cisco VPN client with it. Issue number one: when I do anormal disconnection, the SPIs don't get deleted. Issue number two iswhen it's time to rekey.


When key expiry happens, I see this in the Cisco client logs:

821    13:50:26.474  06/06/08  Sev=Info/4    IPSEC/0x63700019

Activate outbound key with SPI=0x687d9e02 for inbound key withSPI=0x713631b3


822    14:10:09.646  06/06/08  Sev=Info/6    IPSEC/0x6370002D
Fragmenting send packet.

823    14:28:43.242  06/06/08  Sev=Info/4    IPSEC/0x6370000E
Key with outbound SPI=0x687d9e02 is about to expire, requesting a new one

824    14:28:43.242  06/06/08  Sev=Info/4    IPSEC/0x6370000B
Key requested

825    14:30:44.452  06/06/08  Sev=Warning/2    CVPND/0xA3400018
Output size mismatch. Actual: 4, Expected: 225. (DRVIFACE:1868)

826    14:30:44.452  06/06/08  Sev=Info/4    IPSEC/0x63700013
Delete internal key with SPI=0x713631b3

827    14:30:44.452  06/06/08  Sev=Info/4    IPSEC/0x6370000C
Key deleted by SPI 0x713631b3

828    14:30:44.452  06/06/08  Sev=Info/4    IPSEC/0x63700013
Delete internal key with SPI=0x687d9e02

829    14:30:44.452  06/06/08  Sev=Info/4    IPSEC/0x6370000C
Key deleted by SPI 0x687d9e02

830    14:30:44.950  06/06/08  Sev=Warning/2    CVPND/0xA3400018
Output size mismatch. Actual: 4, Expected: 225. (DRVIFACE:1868)

831    14:30:44.950  06/06/08  Sev=Info/4    CM/0x63100013

Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING. 0 CryptoActive IKE SA, 0 User Authenticated IKE SA in the system


I see this in /var/log/messages:

Jun 6 14:29:00 bastion racoon: ERROR: can't start the quick mode, thereis no ISAKMP-SA, f09a4ae0efc3313a:29e131a170b2e6a6:000096ba

Jun  6 14:29:17 bastion last message repeated 3 times

Jun 6 14:29:22 bastion racoon: ERROR: unknown Informational exchangereceived.

Jun  6 14:29:55 bastion last message repeated 7 times
Jun  6 14:31:01 bastion last message repeated 13 times

And then the VPN client just disconnects.

Any ideas?

Follow-Ups:
- Re: ipsec-tools-current, -4 and Cisco VPN
  - From: Petar Bogdanovic

Prev by Date: GRE and WCCP
Next by Date: raidctl query
Previous by Thread: GRE and WCCP
Next by Thread: Re: ipsec-tools-current, -4 and Cisco VPN
Indexes:

Home | Main Index | Thread Index | Old Index