Yes, the option Prefer old IPsec SAs
is not checked. Therefore I think the system preferes newer SAs per default. Jörg -----Ursprüngliche Nachricht----- Von: Scott Ullrich [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 8. September 2005 16:57 An: Joerg Horchler Cc: [email protected] Betreff: Re: [pfSense Support] purged SA caused by timeout .. but why? Do you have the prefer newer SA option checked in System -> Advanced? Scott On 9/8/05, Joerg Horchler <[EMAIL PROTECTED]> wrote: > Hi all, > > I wan't to configure a more compley scenario to establish an IPSec-Tunnel > between the LAN of my company and the LAN of one of our customers. First a > short description: > > We wan't to use two machines in our LAN to access several services in the LAN > of our customer. The customers policy forces us to use a network that we > don't use (as explained later). So we have to NAT the IPs of our two > machines. We do this on a firewall. After the firewall the traffic passes our > VPN-Gateway which has to protect the traffic with ESP. Here is a short > graphic. > > Internal LAN: 10.x.x.x/24 > DMZ: 192.168.1.x/24 > Enforced NAT Pool: 192.168.2.x/28 > External LAN:x.x.x.x/x > > +--------------+ > | box01 | > | 10.x.x.25/24 | > +--------------+ > | > +----------------+ > | > +--------------+ | > | box02 | | > | 10.x.x.26/24 | | > +--------------+ | > | | > +----------------+ > | > |eth0:10.x.x.27/24 > +----------------+ > | firewall | > +----------------+ > |eth1:192.168.1.250/24 > |eth1:1:192.168.2.65/28 > | > | > | > |vr0:192.168.1.251/24 > +----------------+ > | VPN gateway | > +----------------+ > |vr1:x.x.x.x/x > | > | > | > |x.x.x.x/x > +----------------+ > | CiscoVPN | > +----------------+ > |x.x.x.x/x > | > | > +---------------+ > | | > | | > +---------------+ | > | box01 | | > | 217.x.x.26/24 | | > +---------------+ | > | > +---------------+ | > | box02 |-------+ > | 217.x.x.27/24 | > +---------------+ > > I try to access 217.x.x.26 via SSH from 10.x.x.25. The source address > is NATed on our firewall to 192.168.2.65. On the VPN gateway I > configured a policy to protect every traffic from 192.168.2.x/28 to > 217.x.x.26/24 with ESP via the Cisco VPN appliance (remote gateway). > The connection with this setup times out. The log on our syslog-server > has logged > > Sep 1 14:15:21 cvpndmz racoon: INFO: isakmp.c:1694:isakmp_post_acquire(): > IPsec-SA request for x.x.x.x queued due to no phase1 found. > Sep 1 14:15:21 cvpndmz racoon: INFO: > isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: > x.x.x.x[500]<=>x.x.x.x[500] Sep 1 14:15:21 cvpndmz racoon: INFO: > isakmp.c:813:isakmp_ph1begin_i(): begin Aggressive mode. > Sep 1 14:15:21 cvpndmz racoon: NOTIFY: oakley.c:2084:oakley_skeyid(): > couldn't find the proper pskey, try to get one by the peer's address. > Sep 1 14:15:21 cvpndmz racoon: INFO: > isakmp.c:2459:log_ph1established(): ISAKMP-SA established > x.x.x.x[500]-x.x.x.x[500] spi:ea64dfd3aa29dc62:121857c2df384193 > Sep 1 14:15:22 cvpndmz racoon: INFO: > isakmp.c:952:isakmp_ph2begin_i(): initiate new phase 2 negotiation: > x.x.x.x[0]<=>x.x.x.x[0] Sep 1 14:15:22 cvpndmz racoon: INFO: > isakmp_inf.c:887:purge_isakmp_spi(): purged ISAKMP-SA proto_id=ISAKMP > spi=ea64dfd3aa29dc62:121857c2df384193. > Sep 1 14:15:52 cvpndmz racoon: ERROR: pfkey.c:804:pfkey_timeover(): x.x.x.x > give up to get IPsec-SA due to time up to wait. > Sep 1 14:15:52 cvpndmz racoon: INFO: > isakmp.c:1574:isakmp_ph1delete(): ISAKMP-SA deleted > x.x.x.x[500]-x.x.x.x[500] spi:ea64dfd3aa29dc62:121857c2df384193 > > As no error message above the time out is given here I'm a little bit > confused about what is going on here. > > Perhaps someone has in idea. > > Cheers > Jörg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For additional > commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
