current-users: 1.6.1 VPN connections

Subject: 1.6.1 VPN connections
To: None <netbsd-users@netbsd.org, current-users@netbsd.org>
From: John Nemeth <jnemeth@victoria.tc.ca>
List: current-users
Date: 10/09/2003 17:46:11
     I'm seeing problems with VPN connections in 1.6.1 with a variety
of different endpoints (other NetBSD boxes, Linksys boxes, and
SonicWalls).  The problem that I'm seeing is that for some reason
traffic will stop flowing, then a new tunnel will be created.  'setkey
-D' will show two (or more) tunnels to the same endpoint.  At this
point, the only solution is to do '/etc/rc.d/ipsec reload' to clear
everything out.  Then traffic will flow until it happens again.
Sanitised configs are below for the connection to the Sonicwall (note
that it likes 24 hour SA timeouts).  The NetBSD box is "<A>" and the
SonicWall is "<B>".  When things go wrong, the SonicWall will log
entries saying that it is dropping ESP packets coming from the NetBSD
box, but it doesn't say why.  Other then the standard log entries for
the establishment of a new tunnel, there is nothing logged on the
NetBSD side. Does anybody have any idea on what causes this and how to
fix it?  Will upgrading to 1.6.1-STABLE fix it?  This is for a critical
business purpose and if the problem isn't solved VERY soon something
other then NetBSD will have to terminate the tunnel and I don't want to
see that.

------------- ipsec.conf -----------

spdadd -4 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
        esp/tunnel/<A>-<B>/require ;

spdadd -4 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
        esp/tunnel/<B>-<A>/require ;


------------ racoon.conf -----------

path pre_shared_key "/etc/racoon/psk.txt" ;

listen {
    isakmp <A> ;
    strict_address ;
}

remote <B> {
    exchange_mode main ;
    my_identifier address <A> ;
    peers_identifier address <B> ;
    verify_identifier off ;
    lifetime time 24 hour ;
    initial_contact on ;
    passive off ;
    support_mip6 off ;
    generate_policy on ;
    nonce_size 16 ;
    proposal {
        encryption_algorithm 3des ;
        hash_algorithm sha1 ;
        authentication_method pre_shared_key ;
        dh_group modp1024 ;
        lifetime time 24 hour ;
    }
}

sainfo anonymous {
    pfs_group modp1024 ;
    lifetime time 24 hour ;
    encryption_algorithm des, 3des ;
    authentication_algorithm hmac_md5, hmac_sha1 ;
    compression_algorithm deflate ;
}

log notify ;

padding {
    randomize on ;
}