Hi all, I clearly have to pay attention what I put into pf.conf! Tunnel works fine so far.
//maxim On Oct 16, 2011, at 1:40 PM, Maxim Bourmistrov wrote: > > Both side are now 5.0-current, so this fix is already there. > > However, tunnel timeout is still there. > In logs is see that almost exactly 3h later after tunnel is established it dies. > I see FLOW is still there, bud SAD is empty, then I run "ipsecctl -s all". > > According to the manpage, less than 3h is a default time for re-keying. > I'm not sending that much traffic over the tunnel yet, so > the traffic amount is not even near the default amount for re-keying. > > (Reminder: > 10.1.1.1 - is an ext IP for home GW, > 20.1.1.1 - CARP IP at the office GW, > 20.1.1.2 - ext IP at the office GW1 > 20.1.1.3 - ext IP at the office GW2) > > NOTE: I dont have any other IKE-rules right now on none of those GW. > > Following I see on the home-gw: > > Oct 15 23:47:32 fw1 iked[8578]: sa_state: VALID -> ESTABLISHED from 20.1.1.2:59973 to 10.1.1.1:500 policy 'home_to_office' > > Oct 16 02:27:57 fw1 iked[8578]: ikev2_msg_send: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:59973, 240 bytes > Oct 16 02:27:58 fw1 iked[8578]: ikev2_recv: CREATE_CHILD_SA from responder 20.1.1.2:55932 to 10.1.1.1:500 policy 'home_to_office', 240 bytes > Oct 16 02:27:58 fw1 iked[8578]: ikev2_msg_send: INFORMATIONAL from 10.1.1.1:500 to 20.1.1.2:55932, 80 bytes > Oct 16 02:27:58 fw1 iked[8578]: ikev2_recv: INFORMATIONAL from responder 20.1.1.2:55932 to 10.1.1.1:500 policy 'home_to_office', 80 bytes > Oct 16 02:30:47 fw1 iked[8578]: ikev2_recv: CREATE_CHILD_SA from responder 20.1.1.2:55595 to 10.1.1.1:500 policy 'home_to_office', 240 bytes > Oct 16 02:33:50 fw1 iked[8578]: ikev2_msg_send: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:59973, 240 bytes > > At the office: > > Oct 15 23:47:32 fw1 iked[16378]: sa_state: VALID -> ESTABLISHED from 10.1.1.1:500 to 20.1.1.2:500 policy 'mxb_to_office' > > Oct 16 02:27:58 fw1 iked[16378]: ikev2_msg_send: CREATE_CHILD_SA from 20.1.1.2:500 to 10.1.1.1:500, 240 bytes > Oct 16 02:27:58 fw1 iked[16378]: ikev2_recv: INFORMATIONAL from initiator 10.1.1.1:500 to 20.1.1.2:500 policy 'mxb_to_office', 80 bytes > Oct 16 02:27:58 fw1 iked[16378]: ikev2_pld_delete: deleted 1 spis > Oct 16 02:27:58 fw1 iked[16378]: ikev2_msg_send: INFORMATIONAL from 20.1.1.2:500 to 10.1.1.1:500, 80 bytes > Oct 16 02:30:47 fw1 iked[16378]: ikev2_msg_send: CREATE_CHILD_SA from 20.1.1.2:500 to 10.1.1.1:500, 240 bytes > > At this time it looks like I lose my tunnel. > Trying to ping remote network produces > Oct 16 13:08:11 fw1 iked[8578]: ikev2_msg_send: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:55932, 240 bytes > But this only seen on the home GW. > > //maxim > > > On Oct 15, 2011, at 1:03 PM, Joosep wrote: > >> On Sat, Oct 15, 2011 at 12:13 PM, Maxim Bourmistrov >> <[email protected]>wrote: >> >>> Thanks for your replay, Trevor! >>> >>> Yes, indeed, PF was the case here. >>> Except "pass on enc0 from any to any keep state (if-bound)", I also decided >>> to >>> pass all ESP traffic. >>> >>> Tunnel, however, sometimes times out. Not sure about the reason for this >>> yet. >>> >>> //maxim >>> >>> Hi! >> >> There is a patch for 4.8 and 4.9 that probably fixes your timeouts problem. >> Please read this thread: >> http://marc.info/?l=openbsd-misc&m=130959664208980&w=2 >> It's not a critical bugfix, so it's not on the errata page, but it is in the >> cvs. >> >> Joosep
