Re: IPSEC tunnels failing intermittently

Mon, 02 May 2011 09:51:44 -0700 

On 05/02/11 18:08, Robert wrote:
> Hi,
> 
> Same here, but between 2 hosts in the same subnet (very basic network
> setup).
> I was also waiting for 4.9 (and time to investigate...)

We see same behaviour on 4.9 so upgrading will not help.

> 
> On Mon, 2 May 2011 13:30:34 +0000 (UTC)
> Stuart Henderson <s...@spacehopper.org> wrote:
> 
>> I see something similar which I've been trying to track down but not
>> really succeeding. The thing we have in common is multiple subnets,
>> I wonder if this is a factor...
>>
>>
>>  (and this setup has always been post-4.4 
>> On 2011-05-02, Jakob Alvermark <jakob.alverm...@bsdlabs.com> wrote:
>>> Hi,
>>>
>>> I am getting some strange problems with IPSEC tunnels.
>>> There are 5 sites connected using IPSEC tunnels, which used to work 
>>> perfectly,
>>> but since upgrading to 4.8 (from 4.4),
>>> tunnels started failing, seemly at random intervals.
>>> To investigate I set up two machines in the lab and they exhibit the same
>>> behavior:
>>> After a seemingly random amount of time, when there is a renegotiation of an
>>> SA due to its lifetime expired,
>>> traffic will stop flowing (I have a ping running). 'ipsecctl -sa' and 
>>> 'netstat
>>> -rn' shows everything as normal.
>>> When that SA lifetime expires and a new SA is negotiated it comes back 
>>> again.
>>>
>>> I recompiled the kernel with 'option ENCDEBUG' and set 
>>> net.inet.ip.encdebug=1
>>> and when it fails
>>> I get 'esp_input_cb(): authentication failed for packet in SA
>>> xxx.xxx.xxx.97/6e68c6ae'
>>>
>>> The machines are installed with stock OpenBSD 4.8, nothing special about the
>>> configuration.
>>> ipsec.conf is very simple, just one line:
>>>
>>> ike esp from {192.168.1.9/24 172.16.1.0/24} to {192.168.31.0/24
>>> 192.168.32.254} local xxx.xxx.xxx.97 peer xxx.xxx.xxx.99
>>>
>>> Public keys copied across, isakmpd started with flags "-K -v"
>>>
>>> Does anyone have any ideas about this?
>>>
>>> Thank you
>>>
>>> Jakob Alvermark
>>> jakob.alverm...@bsdlabs.com
>>> BSDLabs AB
>>> Solna, Sweden
>>> 556759-7652
> 

-- 
Do you consider your e-mail important?

BSDLabs AB
Registered in Solna, Sweden
SE556759765201
http://www.bsdlabs.com

Reply via email to