IPSec questions

Peter Shulkin pshulkin at demoulasmarketbasket.com
Mon Mar 1 18:15:55 UTC 2010 

So I have IPSec working from redhat to redhat, and from redhat to
windows, but when I set up redhat (xx.xx)  to hp (yy.yy), I get a SA
connection, but I cannot ping.  Also, the log shows me "anonymous sainfo
selected" even though I have the SA defined.

 

A second question, re: redhat to windows (ww.ww).  I'm able to get a
successful connection as long as I ping from the windows side first, but
then I lose the connection after 10 minutes of inactivity, and can only
re-establish it if I ping from the windows side.  Then I'm good for
another 10 minutes or so.  Does anyone know how to stop this timeout?

 

setkey -DP

128.181.yy.yy[any] 128.181.xx.xx[32] any

        in prio def ipsec

        esp/transport//require

        created: Mar  1 09:09:55 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=41304 seq=25 pid=20119

        refcnt=1

128.181.yy.yy[any] 128.181.xx.xx[any] any

        in prio def ipsec

        esp/transport//require

        ah/transport//require

        created: Mar  1 09:10:06 2010  lastused: Mar  1 09:14:33 2010

        lifetime: 0(s) validtime: 0(s)

        spid=41328 seq=24 pid=20119

        refcnt=2

128.181.xx.xx[any] 128.181.yy.yy[32] any

        out prio def ipsec

        esp/transport//require

        created: Mar  1 09:09:55 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=41297 seq=21 pid=20119

        refcnt=1

128.181.xx.xx[any] 128.181.yy.yy[any] any

        out prio def ipsec

        esp/transport//require

        ah/transport//require

        created: Mar  1 09:10:06 2010  lastused: Mar  1 09:11:35 2010

        lifetime: 0(s) validtime: 0(s)

        spid=41321 seq=20 pid=20119

        refcnt=2

128.181.yy.yy[any] 128.181.xx.xx[32] any

        fwd prio def ipsec

        esp/transport//require

        created: Mar  1 09:09:55 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=41314 seq=17 pid=20119

        refcnt=1

128.181.yy.yy[any] 128.181.xx.xx[any] any

        fwd prio def ipsec

        esp/transport//require

        ah/transport//require

        created: Mar  1 09:10:06 2010  lastused:                     

        lifetime: 0(s) validtime: 0(s)

        spid=41338 seq=16 pid=20119

        refcnt=1

(per-socket policy) 

        in none

        created: Mar  1 09:10:07 2010  lastused: Mar  1 09:11:14 2010

        lifetime: 0(s) validtime: 0(s)

        spid=41363 seq=9 pid=20119

        refcnt=1

(per-socket policy) 

        out none

        created: Mar  1 09:10:07 2010  lastused: Mar  1 09:11:55 2010

        lifetime: 0(s) validtime: 0(s)

        spid=41372 seq=1 pid=20119

        refcnt=1

 

>From the debug log:

2010-03-01 09:11:35: DEBUG: suitable inbound SP found:
128.181.yy.yy/32[0] 128.181.xx.xx/32[0] proto=any dir=in.

2010-03-01 09:11:35: DEBUG: new acquire 128.181.xx.xx/32[0]
128.181.yy.yy/32[0] proto=any dir=out

2010-03-01 09:11:35: DEBUG: anonymous sainfo selected.

 

2010-03-01 09:11:55: DEBUG: resend phase2 packet
3a93dfd2a4ab4ba2:bbf5e70baaff7c07:0000a9d9

2010-03-01 09:12:05: DEBUG: get pfkey EXPIRE message

2010-03-01 09:12:05: INFO: IPsec-SA expired: AH/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=249936532(0xee5ba94)

2010-03-01 09:12:05: WARNING: the expire message is received but the
handler has not been established.

2010-03-01 09:12:05: ERROR: 128.181.yy.yy give up to get IPsec-SA due to
time up to wait.

2010-03-01 09:12:05: DEBUG: an undead schedule has been deleted.

2010-03-01 09:12:05: DEBUG: get pfkey EXPIRE message

2010-03-01 09:12:05: INFO: IPsec-SA expired: ESP/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=15343223(0xea1e77)

2010-03-01 09:12:05: DEBUG: no such a SA found: ESP/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=15343223(0xea1e77)

 

 

On the windows side:

 

2010-03-01 12:22:08: DEBUG: pfkey UPDATE succeeded: ESP/Transport
128.181.ww.ww[0]->128.181.xx.xx[0] spi=101578039(0x60df537)

2010-03-01 12:22:08: INFO: IPsec-SA established: ESP/Transport
128.181.ww.ww[0]->128.181.xx.xx[0] spi=101578039(0x60df537)

Connection good.

 

After about 10 minutes or more:

2010-03-01 12:38:06: DEBUG: Cannot record event: event queue overflowed

2010-03-01 12:38:06: DEBUG: call pfkey_send_dump

2010-03-01 12:38:06: DEBUG: purged SAs.

 

ping 128.181.ww.ww

PING 128.181.ww.ww (128.181.ww.ww) 56(84) bytes of data.

 

--- 128.181.ww.ww ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 2999ms

 

But from the windows server:

C:\WINDOWS>ping 128.181.xx.xx

 

Pinging 128.181.xx.xx with 32 bytes of data:

 

Negotiating IP Security.

Reply from 128.181.xx.xx: bytes=32 time=1ms TTL=64

Reply from 128.181.xx.xx: bytes=32 time<1ms TTL=64

Reply from 128.181.xx.xx: bytes=32 time<1ms TTL=64

 

Ping statistics for 128.181.xx.xx:

    Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

    Minimum = 0ms, Maximum = 1ms, Average = 0ms

 

Thanks,

Peter Shulkin

More information about the redhat-list mailing list