Re: [Users] IPsec SA expired (LATEST!)

From: Sam Sgro (sam_at_freeswan.org)
Date: Sun Aug 11 2002 - 02:12:28 CEST

• Previous message: gerald: "[Users] Questionnaire"
• In reply to: Sunny Cheung: "[Users] IPsec SA expired (LATEST!)"
• Next in thread: eugen.d.jeggle_at_accenture.com: "RE: [Users] only 1 hour!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 6 Aug 2002, Sunny Cheung wrote:

> I'd the problem on FreeS/WAN 1.97 connection, I'd setup the freeswan in RH linux 7.3 (kenrel 2.4.18) and frees/wan 1.97. It's work but will disconnect when this message log on the /var/log/secure:
> Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #101: max number of retransmissions (2) reached STATE_QUICK_I1
>
> Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #101: starting keying attempt 3 of at most 3
>
> Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #102: initiating Quick Mode
>
> PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK to replace #101
>
> Aug 5 12:39:00 jetproxy Pluto[18477]: "linux-fw1-1" #102: max number of retransmissions (2) reached STATE_QUICK_I1
>
> Aug 5 12:40:00 jetproxy Pluto[18477]: "linux-fw1-1" #97: IPsec SA expired (LATEST!)
>
> Aug 5 12:40:00 jetproxy Pluto[18477]: "linux-fw1-1" #103: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
>
> Aug 5 12:41:10 jetproxy Pluto[18477]: "linux-fw1-1" #103: max number of retransmissions (2) reached

I take it, from the fact that you've only sent me a barf for one of the
units, that you are connecting to a non-freeswan box at the other end of the
connection. This complicates things, as the logs from the other end of this
connection would also be useful here.

Your IPSec SA lifetime is set to 90 minutes. (The default is 8 hours; have
you chosen this for a particular reason?) You've also commented out the
"%default" connection, where, among other things, we correct the badly chosen
default of "keyingtries=3" present in Pluto; "keyingtries=0" ensures that
FreeS/WAN will persist in its rekeying efforts, instead of giving up
(relatively) quickly. Either can be desirable behavior depending on the
circumstances.

Perhaps the 'net connection of fw1-1 went down for more than a few minutes;
the 3 keying tries fail, and FreeS/WAN "gives up". If the other end of this
connection won't rekey, ceases to try after a few failed attempts, or just
plain won't initiate an IPSec connection, the tunnel would never get brought
back up.

So, start by uncommenting the %default connection, and see if this fixes the
problem. If/when you see the problem again, please grab a barf at that moment
- - so that we can see the logs as the problem actually occurs - and see if you
can provide us any extra information from the other IPSec device you are
connecting to.

Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPVWr7kOSC4btEQUtAQHhewQA1xzVt/wX6WAwYvtYN9xqWL1E2d3ofcnW
G6sGQDd/SteO3NBmqsZTX8JH+q3HsCpFX0Of0F3T8F770ldcs2lXS4TLTCxoGDdb
TP5ag87toWlb027BJfVkngAYhtbS+NsLR9f36X8vdol+XLl5B1k2YaeJVBawHb4I
hgkaQqiCSCw=
=MmOP
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Previous message: gerald: "[Users] Questionnaire"
• In reply to: Sunny Cheung: "[Users] IPsec SA expired (LATEST!)"
• Next in thread: eugen.d.jeggle_at_accenture.com: "RE: [Users] only 1 hour!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Aug 11 2002 - 05:19:40 CEST