[Openswan Users] Pix 7.0.5, pix 6.3.5 and Openswan connectivity issues

arno van der walt vex0r2002 at hotmail.com
Tue Aug 1 01:52:03 CEST 2006


Hi

We have in the order of 40 VPN tunnels from a Pix firewall to various 
Openswan boxes. Since our initial roll out we've seen that the tunnel would 
drop intermittently. We wrote wrapper scripts and cron'd it to bounce the 
tunnels when they go down by monitoring file build up and icmp timeouts, 
redirects etc.

After about a year of having these VPN tunnels in production we're trying to 
get to bottom of the VPN drops rather than applying band aids.

The Openswan box is 1.1.1.1 and the Pix is 2.2.2.2. After 75% of the IPSec 
SA timer expires, the pix initiates a rekey. In this particular scenario the 
Openswan box does not rekey but keeps its SA's active which effectively 
renders the tunnels useless, since the two devices cannot establish or agree 
upon the SA.

We've dropped the IPSec SA timer down to one hour and our tunnel dropped 45 
minutes into every hour as the Pix tried to rekey. It is currently set to 
28800 for bith SA's.

We're running Fedora Core 4, Openswan 2.4.4, kernel 2.6.17.

Take a look at the DPD, it just keeps on incrementing, almost as if DPD is 
not interopreable.

Would upgrading to 2.4.5 with the DPD enhancements help? We're fairly open 
to suggestion at this stage.

=======================================================
Openswan
---------------------------------------------------------------------------------------------------------------------------
[root at bob ~]# /usr/sbin/ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.1.254.126
000 %myid = (none)
000 debug 
raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, 
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, 
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, 
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, 
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, 
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, 
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, 
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, 
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, 
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, 
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, 
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,11,36} 
trans={0,11,336} attrs={0,11,224}
000
000 "tunnelipsec": 
0.0.0.0/0===10.1.254.126---10.1.254.65...2.2.2.3---2.2.2.2===10.213.27.0/24; 
erouted; eroute owner: #37
000 "tunnelipsec":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "tunnelipsec":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 
540s; rekey_fuzz: 100%; keyingtries: 0
000 "tunnelipsec":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 0,24; 
interface: eth0;
000 "tunnelipsec":   newest ISAKMP SA: #35; newest IPsec SA: #37;
000 "tunnelipsec":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "tunnelipsec":   ESP algorithms wanted: 3_000-1, flags=-strict
000 "tunnelipsec":   ESP algorithms loaded: 3_000-1, flags=-strict
000 "tunnelipsec":   ESP algorithm newest: 3DES_0-HMAC_MD5; 
pfsgroup=<Phase1>
000
000 #37: "tunnelipsec":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 2353s; newest IPSEC; eroute owner
000 #37: "tunnelipsec" esp.3fc41a81 at 2.2.2.2 esp.c85a4c49 at 10.1.254.126 
tun.0 at 2.2.2.2 tun.0 at 10.1.254.126
000 #35: "tunnelipsec":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 27590s; newest ISAKMP; lastdpd=311s(seq in:0 out:0)
000

=======================================================
Pix log
---------------------------------------------------------------------------------------------------------------------------
Jul 31 14:15:03 2.2.2.2 Jul 31 2006 14:16:25: %PIX-6-302015: Built outbound 
UDP connection 30673128 for outside:1.1.1.1/500 (1.1.1.1/500) to NP Identity 
Ifc:2.2.2.2/500 (2.2.2.2/500)
Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-3-713123: Group = 
1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting 
connection (keepalive type: DPD)
Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-6-602304: IPSEC: An 
inbound LAN-to-LAN SA (SPI= 0x72F45DCB) between 2.2.2.2 and 1.1.1.1 (user= 
1.1.1.1) has been deleted.
Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-6-602304: IPSEC: An 
outbound LAN-to-LAN SA (SPI= 0xCE19C3AE) between 2.2.2.2 and 1.1.1.1 (user= 
1.1.1.1) has been deleted.
Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-3-713902: Group = 
1.1.1.1, IP = 1.1.1.1, Removing peer from peer table failed, no match!
Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-4-713903: Group = 
1.1.1.1, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry
Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-4-113019: Group = 
1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session 
Type: IPSecLAN2LAN, Duration: 0h:24m:19s, Bytes xmt: 642337, Bytes rcv: 
3623975, Reason: Lost Service
Jul 31 14:15:15 2.2.2.2 Jul 31 2006 14:16:37: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:15:47 2.2.2.2 Jul 31 2006 14:17:09: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:15:47 2.2.2.2 Jul 31 2006 14:17:09: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:15:47 2.2.2.2 Jul 31 2006 14:17:09: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:16:19 2.2.2.2 Jul 31 2006 14:17:41: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:16:19 2.2.2.2 Jul 31 2006 14:17:41: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:16:19 2.2.2.2 Jul 31 2006 14:17:41: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:16:51 2.2.2.2 Jul 31 2006 14:18:13: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:16:51 2.2.2.2 Jul 31 2006 14:18:13: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:16:51 2.2.2.2 Jul 31 2006 14:18:13: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:17:23 2.2.2.2 Jul 31 2006 14:18:45: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:17:23 2.2.2.2 Jul 31 2006 14:18:45: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:17:23 2.2.2.2 Jul 31 2006 14:18:45: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:17:55 2.2.2.2 Jul 31 2006 14:19:17: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:17:55 2.2.2.2 Jul 31 2006 14:19:17: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:17:56 2.2.2.2 Jul 31 2006 14:19:17: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:18:28 2.2.2.2 Jul 31 2006 14:19:49: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:18:28 2.2.2.2 Jul 31 2006 14:19:49: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:18:28 2.2.2.2 Jul 31 2006 14:19:49: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:19:00 2.2.2.2 Jul 31 2006 14:20:21: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:19:00 2.2.2.2 Jul 31 2006 14:20:21: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:19:00 2.2.2.2 Jul 31 2006 14:20:21: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:19:32 2.2.2.2 Jul 31 2006 14:20:53: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:19:32 2.2.2.2 Jul 31 2006 14:20:53: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:19:32 2.2.2.2 Jul 31 2006 14:20:54: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:20:04 2.2.2.2 Jul 31 2006 14:21:26: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:20:04 2.2.2.2 Jul 31 2006 14:21:26: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:20:04 2.2.2.2 Jul 31 2006 14:21:26: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:20:36 2.2.2.2 Jul 31 2006 14:21:58: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:20:36 2.2.2.2 Jul 31 2006 14:21:58: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:20:36 2.2.2.2 Jul 31 2006 14:21:58: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:21:08 2.2.2.2 Jul 31 2006 14:22:30: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:21:08 2.2.2.2 Jul 31 2006 14:22:30: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:21:08 2.2.2.2 Jul 31 2006 14:22:30: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:21:40 2.2.2.2 Jul 31 2006 14:23:02: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:21:40 2.2.2.2 Jul 31 2006 14:23:02: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:21:40 2.2.2.2 Jul 31 2006 14:23:02: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:22:12 2.2.2.2 Jul 31 2006 14:23:34: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:22:12 2.2.2.2 Jul 31 2006 14:23:34: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:22:12 2.2.2.2 Jul 31 2006 14:23:34: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:22:44 2.2.2.2 Jul 31 2006 14:24:06: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:22:44 2.2.2.2 Jul 31 2006 14:24:06: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:22:45 2.2.2.2 Jul 31 2006 14:24:07: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:23:17 2.2.2.2 Jul 31 2006 14:24:39: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:23:17 2.2.2.2 Jul 31 2006 14:24:39: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:23:17 2.2.2.2 Jul 31 2006 14:24:39: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:23:49 2.2.2.2 Jul 31 2006 14:25:11: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:23:49 2.2.2.2 Jul 31 2006 14:25:11: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:23:50 2.2.2.2 Jul 31 2006 14:25:11: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:24:22 2.2.2.2 Jul 31 2006 14:25:43: %PIX-3-713902: IP = 1.1.1.1, 
Removing peer from peer table failed, no match!
Jul 31 14:24:22 2.2.2.2 Jul 31 2006 14:25:43: %PIX-4-713903: IP = 1.1.1.1, 
Error: Unable to remove PeerTblEntry
Jul 31 14:24:22 2.2.2.2 Jul 31 2006 14:25:44: %PIX-5-713041: IP = 1.1.1.1, 
IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1  local Proxy Address 
10.213.27.0, remote Proxy Address 0.0.0.0,  Crypto map (outside_map)
Jul 31 14:24:44 2.2.2.2 Jul 31 2006 14:26:05: %PIX-5-713904: IP = 1.1.1.1, 
Received encrypted packet with no matching SA, dropping
Jul 31 14:24:45 2.2.2.2 Jul 31 2006 14:26:06: %PIX-5-713904: IP = 1.1.1.1, 
Received encrypted packet with no matching SA, dropping
Jul 31 14:25:00 2.2.2.2 Jul 31 2006 14:26:21: %PIX-4-713903: Group = 
1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for 
authorization-dn-attributes
Jul 31 14:25:00 2.2.2.2 Jul 31 2006 14:26:21: %PIX-6-113009: AAA retrieved 
default group policy (DfltGrpPolicy) for user = 1.1.1.1
Jul 31 14:25:00 2.2.2.2 Jul 31 2006 14:26:21: %PIX-3-713119: Group = 
1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
Jul 31 14:25:01 2.2.2.2 Jul 31 2006 14:26:23: %PIX-5-713201: Group = 
1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected.  Retransmitting 
last packet.
Jul 31 14:25:01 2.2.2.2 Jul 31 2006 14:26:23: %PIX-6-713905: Group = 
1.1.1.1, IP = 1.1.1.1, P1 Retransmit msg dispatched to MM FSM
Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-6-602303: IPSEC: An 
outbound LAN-to-LAN SA (SPI= 0xC85A4C49) between 2.2.2.2 and 1.1.1.1 (user= 
1.1.1.1) has been created.
Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-5-713049: Group = 
1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group 
(1.1.1.1)  Responder, Inbound SPI = 0x3fc41a81, Outbound SPI = 0xc85a4c49
Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-6-602303: IPSEC: An 
inbound LAN-to-LAN SA (SPI= 0x3FC41A81) between 2.2.2.2 and 1.1.1.1 (user= 
1.1.1.1) has been created.
Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-6-713905: Group = 
1.1.1.1, IP = 1.1.1.1, Starting P2 Rekey timer to expire in 3056 seconds
Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-5-713120: Group = 
1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=e62e3d43)
Jul 31 14:25:12 2.2.2.2 Jul 31 2006 14:26:34: %PIX-5-713201: Group = 
1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected.  No last packet to 
retransmit.
Jul 31 14:25:23 2.2.2.2 Jul 31 2006 14:26:45: %PIX-5-713136: IP = 1.1.1.1, 
IKE session establishment timed out [MM_WAIT_MSG4], aborting!
Jul 31 14:25:32 2.2.2.2 Jul 31 2006 14:26:53: %PIX-5-713201: Group = 
1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected.  No last packet to 
retransmit.
Jul 31 14:27:36 2.2.2.2 Jul 31 2006 14:28:58: %PIX-6-302016: Teardown UDP 
connection 30673128 for outside:1.1.1.1/500 to NP Identity Ifc:2.2.2.2/500 
duration 0:12:32 bytes 28360



Session Type: LAN-to-LAN Detailed

Connection   : 1.1.1.1
Index        : 33                     IP Addr      : 1.1.1.1
Protocol     : IPSecLAN2LAN           Encryption   : 3DES
Hashing      : MD5
Bytes Tx     : 798078                 Bytes Rx     : 128975
Login Time   : 14:26:21 UTC Mon Jul 31 2006
Duration     : 0h:05m:21s
Filter Name  :

IKE Sessions: 1 IPSec Sessions: 1

IKE:
  Session ID   : 1
  UDP Src Port : 500                    UDP Dst Port : 500
  IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
  Encryption   : 3DES                   Hashing      : MD5
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28480 Seconds
  D/H Group    : 2

IPSec:
  Session ID   : 2
  Local Addr   : 10.213.27.0/255.255.255.0/0/0
  Remote Addr  : 0.0.0.0/0.0.0.0/0/0
  Encryption   : 3DES                   Hashing      : MD5
  Encapsulation: Tunnel                 PFS Group    : 2
  Rekey Int (T): 3600 Seconds           Rekey Left(T): 3292 Seconds
  Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
  Bytes Tx     : 798078                 Bytes Rx     : 128975
  Pkts Tx      : 1771                   Pkts Rx      : 1597

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/



More information about the Users mailing list