IPSec questions
Peter Shulkin
pshulkin at demoulasmarketbasket.com
Mon Mar 1 18:15:55 UTC 2010
So I have IPSec working from redhat to redhat, and from redhat to
windows, but when I set up redhat (xx.xx) to hp (yy.yy), I get a SA
connection, but I cannot ping. Also, the log shows me "anonymous sainfo
selected" even though I have the SA defined.
A second question, re: redhat to windows (ww.ww). I'm able to get a
successful connection as long as I ping from the windows side first, but
then I lose the connection after 10 minutes of inactivity, and can only
re-establish it if I ping from the windows side. Then I'm good for
another 10 minutes or so. Does anyone know how to stop this timeout?
setkey -DP
128.181.yy.yy[any] 128.181.xx.xx[32] any
in prio def ipsec
esp/transport//require
created: Mar 1 09:09:55 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=41304 seq=25 pid=20119
refcnt=1
128.181.yy.yy[any] 128.181.xx.xx[any] any
in prio def ipsec
esp/transport//require
ah/transport//require
created: Mar 1 09:10:06 2010 lastused: Mar 1 09:14:33 2010
lifetime: 0(s) validtime: 0(s)
spid=41328 seq=24 pid=20119
refcnt=2
128.181.xx.xx[any] 128.181.yy.yy[32] any
out prio def ipsec
esp/transport//require
created: Mar 1 09:09:55 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=41297 seq=21 pid=20119
refcnt=1
128.181.xx.xx[any] 128.181.yy.yy[any] any
out prio def ipsec
esp/transport//require
ah/transport//require
created: Mar 1 09:10:06 2010 lastused: Mar 1 09:11:35 2010
lifetime: 0(s) validtime: 0(s)
spid=41321 seq=20 pid=20119
refcnt=2
128.181.yy.yy[any] 128.181.xx.xx[32] any
fwd prio def ipsec
esp/transport//require
created: Mar 1 09:09:55 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=41314 seq=17 pid=20119
refcnt=1
128.181.yy.yy[any] 128.181.xx.xx[any] any
fwd prio def ipsec
esp/transport//require
ah/transport//require
created: Mar 1 09:10:06 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=41338 seq=16 pid=20119
refcnt=1
(per-socket policy)
in none
created: Mar 1 09:10:07 2010 lastused: Mar 1 09:11:14 2010
lifetime: 0(s) validtime: 0(s)
spid=41363 seq=9 pid=20119
refcnt=1
(per-socket policy)
out none
created: Mar 1 09:10:07 2010 lastused: Mar 1 09:11:55 2010
lifetime: 0(s) validtime: 0(s)
spid=41372 seq=1 pid=20119
refcnt=1
>From the debug log:
2010-03-01 09:11:35: DEBUG: suitable inbound SP found:
128.181.yy.yy/32[0] 128.181.xx.xx/32[0] proto=any dir=in.
2010-03-01 09:11:35: DEBUG: new acquire 128.181.xx.xx/32[0]
128.181.yy.yy/32[0] proto=any dir=out
2010-03-01 09:11:35: DEBUG: anonymous sainfo selected.
2010-03-01 09:11:55: DEBUG: resend phase2 packet
3a93dfd2a4ab4ba2:bbf5e70baaff7c07:0000a9d9
2010-03-01 09:12:05: DEBUG: get pfkey EXPIRE message
2010-03-01 09:12:05: INFO: IPsec-SA expired: AH/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=249936532(0xee5ba94)
2010-03-01 09:12:05: WARNING: the expire message is received but the
handler has not been established.
2010-03-01 09:12:05: ERROR: 128.181.yy.yy give up to get IPsec-SA due to
time up to wait.
2010-03-01 09:12:05: DEBUG: an undead schedule has been deleted.
2010-03-01 09:12:05: DEBUG: get pfkey EXPIRE message
2010-03-01 09:12:05: INFO: IPsec-SA expired: ESP/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=15343223(0xea1e77)
2010-03-01 09:12:05: DEBUG: no such a SA found: ESP/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=15343223(0xea1e77)
On the windows side:
2010-03-01 12:22:08: DEBUG: pfkey UPDATE succeeded: ESP/Transport
128.181.ww.ww[0]->128.181.xx.xx[0] spi=101578039(0x60df537)
2010-03-01 12:22:08: INFO: IPsec-SA established: ESP/Transport
128.181.ww.ww[0]->128.181.xx.xx[0] spi=101578039(0x60df537)
Connection good.
After about 10 minutes or more:
2010-03-01 12:38:06: DEBUG: Cannot record event: event queue overflowed
2010-03-01 12:38:06: DEBUG: call pfkey_send_dump
2010-03-01 12:38:06: DEBUG: purged SAs.
ping 128.181.ww.ww
PING 128.181.ww.ww (128.181.ww.ww) 56(84) bytes of data.
--- 128.181.ww.ww ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
But from the windows server:
C:\WINDOWS>ping 128.181.xx.xx
Pinging 128.181.xx.xx with 32 bytes of data:
Negotiating IP Security.
Reply from 128.181.xx.xx: bytes=32 time=1ms TTL=64
Reply from 128.181.xx.xx: bytes=32 time<1ms TTL=64
Reply from 128.181.xx.xx: bytes=32 time<1ms TTL=64
Ping statistics for 128.181.xx.xx:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Thanks,
Peter Shulkin
More information about the redhat-list
mailing list