On 12/1/06, Jason W. Allen <[EMAIL PROTECTED]> wrote:
Lifetime: 28800 Lifetime: 86400
Now when I try to ping from the left network to the right nothing happens and these are the logs I get.
Dec 1 13:04:19 racoon: INFO: @(#)ipsec-tools 0.6.6 Dec 1 13:04:19 racoon: WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
This is just a theory, but it looks like racoon doesn't play well (in some situations) if the Phase 2 lifetime is longer than the Phase 1 lifetime. I've been dealing with a situation where there are 3 sites, each with links to the other two sites. A <-> B OK B <-> C OK A <-> C Periodic failures The periodic failures that I saw were that the link would only establish properly when traffic was initiated from site A. If the link dropped, traffic from site C would not bring it back up. At times, recovery was only possible by disabling the tunnel on site A's firewall and then enabling it. This forced a new association and everything would be fine for a while. I finally had a chance to switch site C to pfSense (from m0n0) and thought that maybe that would solve the problem. It didn't so I started digging around. Eventually, I found information that pointed to racoon so I started examining that. In the end, it turned out that that particular link was configured with a Phase 1 lifetime of 14400. Phase 2 lifetime was not specified so it used the default of 28800. None of the other links had that specified. After removing the lifetime value and applying changes, the link came right up whereas before I would have had to disable, save, enable, save, and cross my fingers. YMMV, M --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
