[Openswan Users] Openswan to cisco / SA Expired
Vincent Tamet
vincent.tamet at ilimit.net
Thu Mar 15 05:58:42 EDT 2012
Hi Paul,
Thanks you very much for the answer.
Still have some doubt, if you could have a look in the body of this mail.
>----- Mail original -----
>De: "Paul Wouters" <pwouters at redhat.com>
>À: "Vincent Tamet" <vincent.tamet at ilimit.net>
>Cc: users at openswan.org
>Envoyé: Jeudi 15 Mars 2012 01:40:43
>Objet: Re: [Openswan Users] Openswan to cisco / SA Expired
>
>On Wed, 14 Mar 2012, Vincent Tamet wrote:
>
>> I observe some SA Expired and then the tunnel go down, a ping from the cisco immediately up the vpn.
>>
>> -------------------------------------------------------------------------------------------
>> Crypto Map "cm-cryptomap" 1 ipsec-isakmp
>> Peer = x.x.x.74
>> Extended IP access list 101
>> access-list 101 permit ip 192.168.2.0 0.0.0.255 192.1.0.0 0.0.1.255
>> access-list 101 permit ip 192.1.0.0 0.0.1.255 192.168.2.0 0.0.0.255
>> access-list 101 deny ip any any
>> Security association lifetime: 4608000 kilobytes/120 seconds
>An SA lifetime of 2 minutes?? You really don't want. Se it back to the
>default (prob 1h or 8h)
I change all the timer to very low ones, only in the goal to find the working values.
>> Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: received Delete SA payload: deleting ISAKMP State #118
>This is the remote deleting the SA. Not much we can do here.
Oky.
>> Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: STATE_QUICK_R2: IPsec SA established {ESP=>0xa8593c8d <0xcf5f3206 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
>>
>> Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: ISAKMP SA expired (--dontrekey)
>This one says your configuration has rekey=no. Are you behind NAT with
>the Cisco? Or is the Cisco on a dynamic IP? If not, you should set this
>to rekey=yes. By the looks of the IPsec SA established line, you are
>not behind NAT, so I assume the Cisco is on dynamic IP, in which case
>the Cisco should rekey for you.
Because the cisco have a dynamic IP.
>> Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Delete SA payload: deleting ISAKMP State #122
>> Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received and ignored informational message
>These could be because of you 2 minute window for the tunnel. It keeps
>deleting and setting up new tunnels. Set it back to an hour and see if
>this fixes your issues.
Can't really understand this ! :( I was using this to set up like what (https://lists.openswan.org/pipermail/users/2009-January/015995.html)
>> Configuration:
>> --------------
>> conn provailimit
>> type=tunnel
>> esp=3des-md5-96
>> keyexchange=ike
>> authby=secret
>> pfs=yes
>> auth=esp
>> rekey=no
>Yup, you have rekey=no. Change that.
Even if the righ is %any ? (http://lists.virus.org/users-openswan-0511/msg00127.html)
>> #rekeymargin=0s
>> #rekeyfuzz=0%
>> ikelifetime=60s
>> keylife=120s
>nono. this is bad. Do not set such short ikelifetime/salifetimes.
>Since you cannot rekey, it is best to set LONG lifetimes to give
>the remove a change to rekey to you. I recommend:
> ikelifetime=2h
> keylife=8h
Thank you very much I will try right now.
>> dpddelay=10
>> dpdtimeout=30
>> dpdaction=hold
I used this to select the dpd (http://lists.virus.org/users-openswan-0511/msg00127.html).
Do you have some recommandation for the dpd for xdsl line ?
>> #LOCAL
>> left=x.x.x.74
>> leftsubnet=192.1.1.0/23
>> leftnexthop=x.x.x.73
>> #REMOT
>> right=%any
>> rightsubnet=192.168.2.0/24
>> auto=start
>> crypto ipsec security-association lifetime seconds 120
>Make this longer, like 1h
Thought what it was very well to set it like the openswan one, I mean:
Openswan:
ikelifetime=2h
keylife=8h
Cisco:
crypto isakmp policy 1
lifetime 7200
crypto ipsec security-association lifetime seconds 28800
Must I really set this with the same values in the both side ?
>Paul
Thanks you very much Paul :)
Best regard.
Vince.
More information about the Users
mailing list