I cant seem to figure out why my sessions time out when I bring my
site-to-site vpn up. I'm using "isakmpd -K -T"on both sides, then run
ipsecctl -f /etc/ipsec.conf to bring the vpn up. My tunnel comes up fine and
traffic passes on the enc0 interface and everything is great. When I look at
ipsecctl -sa i have a total of 6 lines under the FLOWS and a corresponding 6
esp tunnel entries under SAD's. However after a few minutes I notice a total
of 8 lines under FLOWS and more SAD's. I dont know if this is normal
behavior but when this happens I get reports of intermittent ftimeouts to
the other end which causes me to kill isakmpd. Anyone seen this behavior
before that can tell me if im doing something wrong and/or how to resolve
it?
Heres my configuration in ipsec.conf mirrored on both sides of the tunnel.
ike esp from a.a.a.0/24 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218
ike esp from x.x.x.142 to b.b.b.0/21 local x.x.x.142 peer y.y.y.218
ike esp from x.x.x.142 to y.y.y.218
# ipsecctl -sa
FLOWS:
flow esp in from x.x.x.142 to b.b.b.0/21 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type use
flow esp out from b.b.b.0/21 to x.x.x.142 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type require
flow esp in from x.x.x.142 to y.y.y.218 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type use
flow esp out from y.y.y.218 to x.x.x.142 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type require
flow esp in from a.a.a.0/24 to b.b.b.0/21 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type use
flow esp out from b.b.b.0/21 to a.a.a.0/24 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type require
flow esp in from a.a.a.0/24 to y.y.y.218 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type use
flow esp out from y.y.y.218 to a.a.a.0/24 peer x.x.x.142 srcid y.y.y.218/32
dstid x.x.x.142/32 type require
SAD:
esp tunnel from x.x.x.142 to y.y.y.218 spi 0xe32eba36 auth hmac-sha2-256 enc
aes \
authkey
0xb789a922d531e5f242d159d5ac369bb2563194567864553521084152822f5a37 \
enckey 0x96bc9cddaccbc0a122aa9f5a543527b0
esp tunnel from y.y.y.218 to x.x.x.142 spi 0xf06fdc84 auth hmac-sha2-256 enc
aes \
authkey
0x4b74f370a34ac280d421134207b95e44bf67ee162446b5ab7402f9ff9896dac7 \
enckey 0x5c475ffebae505bd25752125a3c434e9
esp tunnel from y.y.y.218 to x.x.x.142 spi 0x4b963365 auth hmac-sha2-256 enc
aes \
authkey
0x6451a9d20d7ed9dc7227561cacbbc41a673e1a0b362aa70edc7627c034cc58ef \
enckey 0xb6c1516172d2144b055e086651d5c97f
esp tunnel from x.x.x.142 to y.y.y.218 spi 0x744f4841 auth hmac-sha2-256 enc
aes \
authkey
0x41c7e717df5cd8726ca3c5552f5ae329b81a54256bc086988e4a5a34b7a1421b \
enckey 0x6894738f4bca1fd14f414d3d46e26602
esp tunnel from x.x.x.142 to y.y.y.218 spi 0xed0ca41b auth hmac-sha2-256 enc
aes \
authkey
0x7bdb7484c4997263be78ac28a5db12e46d63b9e98790e22b33fac07f1668f9c7 \
enckey 0xdc2799e41119c4bf1afa01026154fce4
esp tunnel from x.x.x.142 to y.y.y.218 spi 0x6602d819 auth hmac-sha2-256 enc
aes \
authkey
0xc0b281eac4b7cd0cfc3c729117c856cf8009d23415a8db84eec28e9c4a008374 \
enckey 0x9c0adf1d52992a1752cd8a179fe1004e
esp tunnel from y.y.y.218 to x.x.x.142 spi 0x0d4f777a auth hmac-sha2-256 enc
aes \
authkey
0x9e94a0462f835baf85b9070474de056a09b366e3407b4d615293975743916cc7 \
enckey 0x604e844bc3d74ed3f3643d876a78b101
esp tunnel from y.y.y.218 to x.x.x.142 spi 0x5f1f12c6 auth hmac-sha2-256 enc
aes \
authkey
0x535a73496f535e3a813ab66b41944eade737b4b7cd83e65f66597d22cda0d692 \
enckey 0x2a5e518b6048c8aafaba4fbebb99ee7b
