-----BEGIN PGP SIGNED MESSAGE-----

On Tue, Jul 16, 2002 at 11:55:53PM +1000, John Ferlito wrote:
> 
> I've got freeswan 1.95 with the 0.7.2b ALGo patch, basically the
> standard debian package.
> 
> I have sucesfully got some tunnels connected to a cisco VPN
> concentrator. I'm having a problem though where every 4 hours the
> connectivity disappears for about 90 seconds.
> 
> I've turned on full pluto debugging. Don't have kernel debugging
> compiled in at the moment. Anyway everytime it happens about 10 seconds
> before the event this is in the logs.
> 
> Pluto[25394]: | *received whack message
> Pluto[25394]: | kernel_alg_esp_enc_ok(3): alg_id=3, alg_ivlen=64, alg_minbits=168, alg_maxbits=168, res=0, ret=1
> Pluto[25394]: | kernel_alg_esp_auth_ok(auth=1): ret=1
> Pluto[25394]: | kernel_alg_esp_enc_keylen():alg_id=3, keylen=21
> Pluto[25394]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
> Pluto[25394]: | kernel_alg_esp_enc_ok(3): alg_id=3, alg_ivlen=64, alg_minbits=168, alg_maxbits=168, res=0, ret=1
> :
> [ snip ] 

These are logging messages from _pluto_ in respect to kernel algorithms
"presence" checks (alg_id=3 means 3DES which is Ok); they will appear every time
IPSEC SA is renegotiated and they are harmless (in recent versions they 
are disabled by default).

> 
> It seems to be something todo with the ALG patch. I could just recompile
> without it but that would be a pain. Has anyone seen this before?

I don't think so, but you could try downloading and recompiling 
freeswan-1.95 pluto and whack without ALGo patches, stock pluto
correctly drives ALGo patched KLIPS for 3DES.

   cd freeswan-1.95
   make programs
   cp -p pluto/{pluto,whack}  /usr/lib/ipsec/   # or whatever install dir

.. and restart ipsec.
If I guess ok, you'll still hit the problem ... _maybe_ re-keying timings ?

Please feedback your findings, thanks.

Regards

- --Juanjo       freeswan algo: AES (+others), SHA2, MODP2048-4096 
               selectable algorithms support for Phase1 and 2.
	       http://www.irrigacion.gov.ar/juanjo/ipsec/

#  Juan Jose Ciarlante (JuanJo PGP) jjo ;at; mendoza.gov.ar              #
#  Key fingerprint = 76 60 A5 76 FD D2 53 E3  50 C7 90 20 22 8C F1 2D    #
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iQCVAwUBPTRapviRsh5Aa5C9AQHCwQQAuLK0/bjS8UTQcfqN6nC4dYnVJKt8ybaf
y0JrGRma2Im7uWUiUSOEGOmAs52T5V68HMLpuSq0pc7J86sZtSEtgsO2TfsApe4y
eFAZY9FsP24qQcaHm4rS+NpftCjwk5DyqplEZwtN4/vb9WAFdgFd3QCnh6x1DC0P
aAa2Dj/Vnu0=
=YC+Z
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users