fixunix
Tags Register FAQ Members List Social Groups Calendar Search Today's Posts Mark Forums Read

gif interface with IPSec spontaneously stopping working - FreeBSD

This is a discussion on gif interface with IPSec spontaneously stopping working - FreeBSD ; I have to machines on a community wireless network with static IP addresses. These machines are used to form a VPN over the CWN, providing a secure routed path between two private networks. To secure the link I am using ...


Fix Unix > Unix > FreeBSD > gif interface with IPSec spontaneously stopping working


Reply
 
LinkBack Tools
  #1  
Old 01-07-2005, 03:54 PM
Junior Member
  
Join Date: Sep 2009
Posts: 0
Default gif interface with IPSec spontaneously stopping working
I have to machines on a community wireless network with static IP addresses.
These machines are used to form a VPN over the CWN, providing a secure
routed path between two private networks. To secure the link I am using gif
interfaces at each end to form the tunnel, and then we are using IPsec with
a pre-shared key.

This link seems very stable for a couple of days, but then it will just stop
without any warning or errors. When I do a tcp dump at the physical
interface (not the virtual gif interface) I see the ISAKMP messages being
exchanged between the racoon daemons on each box:

02:20:20.948965 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase 1 I
agg: [|sa]
02:20:20.966082 10.192.9.33.isakmp > 10.192.8.1.isakmp: isakmp: phase 1 R
agg: [|sa]
02:20:21.036640 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase 1 I
agg:
(hash: len=20)
02:20:21.065342 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase
2/others I oakley-quick[E]: [encrypted hash]
02:20:21.069884 10.192.9.33.isakmp > 10.192.8.1.isakmp: isakmp: phase
2/others R oakley-quick[E]: [encrypted hash]
02:20:21.077303 10.192.8.1.isakmp > 10.192.9.33.isakmp: isakmp: phase
2/others I oakley-quick[E]: [encrypted hash]

But then the data doesn't start to flow. If I go and destroy the gif
interface and then re-create it with the same settings it comes back
straight away, and I see the exact same pattern of isakmp packets.

Can anyone suggest what could be wrong? The machines are running 5.2.1 p9
and p11(I am building the world and kernel for 5.3 on each box now), but
assuming an upgrade to 5.3 doesn't resolve the issue, where can I start with
the investigation to find why the interface is dropping out? Is there a way
to get error logging or diagnostics out of gif interfaces? Does it sound
more like an interface or IPsec issue?

I hope someone can help!

Thanks,

Chris Martin


_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/lis...ebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"
Reply With Quote
Reply

« Previous Thread | Next Thread »
Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
[PATCH 005 of 5] md: Fix type that is stopping raid5 grow from working. unix Kernel 0 10-15-2007 07:21 AM
altq and IPsec - queue on incoming interface unix BSD 2 10-04-2007 02:43 AM
different IPSec for different working hours unix Network 0 10-03-2007 09:39 PM
ipsec over NAT is only working in one direction ? unix Network 1 10-03-2007 09:34 PM
IPsec Virtual Tunnel Interface unix Routers 3 10-03-2007 08:59 PM


All times are GMT. The time now is 08:17 AM.