[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

isakmpd does not initiate connections but wait for others

To: tech_(_at_)_openbsd_(_dot_)_org
Subject: isakmpd does not initiate connections but wait for others
From: TERPLAK Alexandre <alex_(_at_)_vbone_(_dot_)_net>
Date: Sun, 02 Mar 2003 19:00:30 +0100

Hi,

I have a working ipsec setup with 3 tunnels, remote firewalls are linux and cisco. Once established, the tunnels work fine. There's just a problem - very annoying, when I reboot my openbsd 3.2 firewall the tunnels takes ages to reestablish (several hours some times)

If I run a tcpdump I can see that isakmpd does not send any packet until one is received from another gateway, even after one hour. How can I force isakmpd to initiate the tunnel negociation ? On other ipsec implementations this seems to be done each time a packet wants to reach the remote network, i.e. a ping does start the ipsec negociation if the tunnel was down

The log keeps saying that : Exch 40 exchange_establish: IPsec-Conn-XXX_LAN-CCC exchange already exists as 0x11b100

Does it mean that isakmpd thinks the exchange is already started ? But I should see udp/500 packets

This is the isakmpd.conf I'm using if it might help:

[General]
Check-interval=         5
Exchange-max-time=      30

[Phase 1]
1.1.1.1=	ISAKMP-peer-node-AAA
2.2.2.2=	ISAKMP-peer-node-BBB
3.3.3.3=		ISAKMP-peer-node-CCC

[Phase 2] Connections= IPsec-Conn-XXX_LAN-AAA,IPsec-Conn-XXX_LAN-BBB,IPsec-Conn-XXX_LAN-CCC

# ISAKMP Phase 1 peer sections
##############################

[ISAKMP-peer-node-AAA]
Phase=			1
Transport=		udp
Address=		1.1.1.1
Configuration=		Default-main-mode
Authentication=		xxx

[ISAKMP-peer-node-BBB]
Phase=			1
Transport=		udp
Address=		2.2.2.2
Configuration=		Default-main-mode
Authentication=		xxx

[ISAKMP-peer-node-CCC]
Phase=                  1
Transport=              udp
Address=                3.3.3.3
Configuration=          Default-main-mode
Authentication=         xxx


# IPsec Phase 2 sections
########################

[IPsec-Conn-XXX_LAN-AAA]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-node-AAA
Configuration=		Default-quick-mode
Local-ID=		MyNet-XXX_LAN
Remote-ID=		OtherNet-AAA

[IPsec-Conn-XXX_LAN-BBB]
Phase=			2
ISAKMP-peer=		ISAKMP-peer-node-BBB
Configuration=		Default-quick-mode
Local-ID=		MyNet-XXX_LAN
Remote-ID=		OtherNet-BBB

[IPsec-Conn-XXX_LAN-CCC]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-node-CCC
Configuration=          Default-quick-mode
Local-ID=               MyNet-XXX_LAN
Remote-ID=              OtherNet-CCC

# Client ID sections
####################

[MyNet-XXX_LAN]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.1.0
Netmask=		255.255.255.0

[OtherNet-AAA]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.17.0
Netmask=		255.255.255.0

[OtherNet-BBB]
ID-type=		IPV4_ADDR_SUBNET
Network=		192.168.7.0
Netmask=		255.255.255.0

[OtherNet-CCC]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.222.0
Netmask=                255.255.255.0

# Main mode descriptions

[Default-main-mode]
DOI=			IPSEC
EXCHANGE_TYPE=		ID_PROT
Transforms=		3DES-SHA

# Quick mode description
########################

[Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE,QM-ESP-3DES-SHA-PFS-SUITE,QM-ESP-3DES-MD5-SUITE,QM-ESP-3DES-MD5-PFS-SUITE


Regards,
Alexandre

Prev by Date: Re: Parsing tcpdump files
Next by Date: Re: user PPP and system hangs
Previous by thread: Re: Parsing tcpdump files
Next by thread: Re: user PPP and system hangs
Index(es):
- Date
- Thread

Visit your host, monkey.org