RE: [Users] IPsec SA expired (LATEST!)

From: Sunny Cheung (sunnyc_at_turbojet.com.hk)
Date: Mon Sep 16 2002 - 10:41:23 CEST

Dear Sir,

I'm still waiting this result, any updates?

Regards,
Sunny
-----Original Message-----
From: Sunny Cheung [mailto:sunnyc_at_turbojet.com.hk]
Sent: Saturday, September 07, 2002 12:06 PM
To: 'sam_at_freeswan.org'
Cc: 'users_at_lists.freeswan.org'
Subject: RE: FW: [Users] IPsec SA expired (LATEST!)
Dear Sir,

Any result for this case?
Regards,
Sunny
-----Original Message-----
From: users-admin_at_lists.freeswan.org [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Sunny Cheung
Sent: Tuesday, September 03, 2002 10:03 AM
To: sam_at_freeswan.org
Cc: users_at_lists.freeswan.org
Subject: FW: FW: [Users] IPsec SA expired (LATEST!)

Dear Sir,

Can you received & read this attachment? Please reply if you have any result, thanks your help.

Regards,
Sunny
-----Original Message-----
From: Sunny Cheung [mailto:sunnyc_at_turbojet.com.hk]
Sent: Monday, August 26, 2002 9:59 AM
To: 'sam_at_freeswan.org'
Subject: FW: FW: [Users] IPsec SA expired (LATEST!)

Sam,

Can you received & read this attachment? Please reply if you have any result, thanks your help.

Regards,
Sunny
-----Original Message-----
From: Sunny Cheung [mailto:sunnyc_at_turbojet.com.hk]
Sent: Thursday, August 22, 2002 3:23 PM
To: 'Sam Sgro'
Subject: RE: FW: [Users] IPsec SA expired (LATEST!)

Sam,

Here's the ipsec.barf files, which's created when the ipsec disconnected at this morning.
ipsec.barf.20020822 <--- after disconnected
ipsec.barf.20020822a <--- after restart the process

And I'd got the message on create the barf file:
======================================================================
[root_at_jetproxy etc]# ipsec barf >> /root/ipsec.barf.20020822
/usr/lib/ipsec/barf: command substitution: line 1: syntax error near unexpected
token `|'
/usr/lib/ipsec/barf: command substitution: line 1: `ls -t $LOGS | | egrep -v '^m
ail' | egrep -v '\.(gz|Z)$''
[root_at_jetproxy etc]# ipsec setup status
IPsec running
pluto pid 1504
[root_at_jetproxy etc]# ipsec setup restart
ipsec_setup: Stopping FreeS/WAN IPsec...
ipsec_setup: Starting FreeS/WAN IPsec U1.95/K1.97...
[root_at_jetproxy etc]# ipsec barf >> /root/ipsec.barf.20020822.a
[root_at_jetproxy etc]#
====================================================================
And here's the FW config:
Encryption Scheme: IKE
Encryption Domain: EncryptDN
ISAKMP encryption method: 3DES,DES
ISAKMP hash method: MD5,SHA1
ISAKMP authentication method: pre-shared secret

Please reply if you need more information, thanks!

Regards,
Sunny
-----Original Message-----
From: Sam Sgro [mailto:sam_at_freeswan.org]
Sent: Wednesday, August 21, 2002 8:50 AM
To: Sunny Cheung
Subject: Re: FW: [Users] IPsec SA expired (LATEST!)

-----BEGIN PGP SIGNED MESSAGE-----


Change "keyingtries=3" to "keyingtries=0" in the default connection. Perhaps
FreeS/WAN is not being persistent enough.

The Checkpoint log was very garbled; can you post some configuration details
instead?

On Wed, 21 Aug 2002, Sunny Cheung wrote:

> Dear Sam,
>
> For this case, can you read this PDF file?
> Any updates?
>
> Regards,
> Sunny
> -----Original Message-----
> From: users-admin_at_lists.freeswan.org [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Sunny Cheung
> Sent: Monday, August 19, 2002 5:59 PM
> To: 'Sam Sgro'
> Cc: users_at_lists.freeswan.org
> Subject: RE: [Users] IPsec SA expired (LATEST!)
>
> Sam,
>
> Here's the ipsec barf when the machine had connection problem for freeswan.
>
> Regards,
> Sunny
> -----Original Message-----
> From: Sunny Cheung [mailto:sunnyc_at_turbojet.com.hk]
> Sent: Thursday, August 15, 2002 4:10 PM
> To: 'Sam Sgro'
> Cc: 'users_at_lists.freeswan.org'
> Subject: RE: [Users] IPsec SA expired (LATEST!)
>
>
> Here's logging for the other end connect with freeswan box, which's the checkpoint firewall 4.1.
>
> And the CP FW ike keylife was 15 mins; ipsec keylife was 60 mins.
> Please reply if you need more information, thanks!
>
> Regards,
> Sunny
> -----Original Message-----
> From: users-admin_at_lists.freeswan.org [mailto:users-admin_at_lists.freeswan.org]On Behalf Of Sam Sgro
> Sent: Sunday, August 11, 2002 8:12 AM
> To: Sunny Cheung
> Cc: users_at_lists.freeswan.org
> Subject: Re: [Users] IPsec SA expired (LATEST!)
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> On Tue, 6 Aug 2002, Sunny Cheung wrote:
>
> > I'd the problem on FreeS/WAN 1.97 connection, I'd setup the freeswan in RH linux 7.3 (kenrel 2.4.18) and frees/wan 1.97. It's work but will disconnect when this message log on the /var/log/secure:
> > Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #101: max number of retransmissions (2) reached STATE_QUICK_I1
> >
> > Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #101: starting keying attempt 3 of at most 3
> >
> > Aug 5 12:37:50 jetproxy Pluto[18477]: "linux-fw1-1" #102: initiating Quick Mode
> >
> > PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK to replace #101
> >
> > Aug 5 12:39:00 jetproxy Pluto[18477]: "linux-fw1-1" #102: max number of retransmissions (2) reached STATE_QUICK_I1
> >
> > Aug 5 12:40:00 jetproxy Pluto[18477]: "linux-fw1-1" #97: IPsec SA expired (LATEST!)
> >
> > Aug 5 12:40:00 jetproxy Pluto[18477]: "linux-fw1-1" #103: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK
> >
> > Aug 5 12:41:10 jetproxy Pluto[18477]: "linux-fw1-1" #103: max number of retransmissions (2) reached
>
> I take it, from the fact that you've only sent me a barf for one of the
> units, that you are connecting to a non-freeswan box at the other end of the
> connection. This complicates things, as the logs from the other end of this
> connection would also be useful here.
>
> Your IPSec SA lifetime is set to 90 minutes. (The default is 8 hours; have
> you chosen this for a particular reason?) You've also commented out the
> "%default" connection, where, among other things, we correct the badly chosen
> default of "keyingtries=3" present in Pluto; "keyingtries=0" ensures that
> FreeS/WAN will persist in its rekeying efforts, instead of giving up
> (relatively) quickly. Either can be desirable behavior depending on the
> circumstances.
>
> Perhaps the 'net connection of fw1-1 went down for more than a few minutes;
> the 3 keying tries fail, and FreeS/WAN "gives up". If the other end of this
> connection won't rekey, ceases to try after a few failed attempts, or just
> plain won't initiate an IPSec connection, the tunnel would never get brought
> back up.
>
> So, start by uncommenting the %default connection, and see if this fixes the
> problem. If/when you see the problem again, please grab a barf at that moment
> - - so that we can see the logs as the problem actually occurs - and see if you
> can provide us any extra information from the other IPSec device you are
> connecting to.
>
> Sam Sgro
> sam_at_freeswan.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3ia
> Charset: noconv
> Comment: For the matching public key, finger the Reply-To: address.
>
> iQCVAwUBPVWr7kOSC4btEQUtAQHhewQA1xzVt/wX6WAwYvtYN9xqWL1E2d3ofcnW
> G6sGQDd/SteO3NBmqsZTX8JH+q3HsCpFX0Of0F3T8F770ldcs2lXS4TLTCxoGDdb
> TP5ag87toWlb027BJfVkngAYhtbS+NsLR9f36X8vdol+XLl5B1k2YaeJVBawHb4I
> hgkaQqiCSCw=
> =MmOP
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
>
- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPWLjxUOSC4btEQUtAQFavwP+ICQ5PrG0Vfrwn5SCEM96BwClQ/kG1xLr
xIhN62gphknuyBBTWPhqSHfwy5YFeRn1j/nDEHu5U3tHpEp5rBncamhVwLBHY+xF
KdpJ0A/OzQCH4tBEkwey7vimxKlMuMGJGpCGX7Yan8H22ARPDSg4g1FETfOyk3sT
TqcuQu2Hsfo=
=TH8F
-----END PGP SIGNATURE-----

--------------InterScan_NT_MIME_Boundary--

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.4 : Tue Sep 17 2002 - 05:20:06 CEST