FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Red Hat Linux

 
 
LinkBack Thread Tools
 
Old 03-01-2010, 05:15 PM
"Peter Shulkin"
 
Default IPSec questions

So I have IPSec working from redhat to redhat, and from redhat to
windows, but when I set up redhat (xx.xx) to hp (yy.yy), I get a SA
connection, but I cannot ping. Also, the log shows me "anonymous sainfo
selected" even though I have the SA defined.



A second question, re: redhat to windows (ww.ww). I'm able to get a
successful connection as long as I ping from the windows side first, but
then I lose the connection after 10 minutes of inactivity, and can only
re-establish it if I ping from the windows side. Then I'm good for
another 10 minutes or so. Does anyone know how to stop this timeout?



setkey -DP

128.181.yy.yy[any] 128.181.xx.xx[32] any

in prio def ipsec

esp/transport//require

created: Mar 1 09:09:55 2010 lastused:

lifetime: 0(s) validtime: 0(s)

spid=41304 seq=25 pid=20119

refcnt=1

128.181.yy.yy[any] 128.181.xx.xx[any] any

in prio def ipsec

esp/transport//require

ah/transport//require

created: Mar 1 09:10:06 2010 lastused: Mar 1 09:14:33 2010

lifetime: 0(s) validtime: 0(s)

spid=41328 seq=24 pid=20119

refcnt=2

128.181.xx.xx[any] 128.181.yy.yy[32] any

out prio def ipsec

esp/transport//require

created: Mar 1 09:09:55 2010 lastused:

lifetime: 0(s) validtime: 0(s)

spid=41297 seq=21 pid=20119

refcnt=1

128.181.xx.xx[any] 128.181.yy.yy[any] any

out prio def ipsec

esp/transport//require

ah/transport//require

created: Mar 1 09:10:06 2010 lastused: Mar 1 09:11:35 2010

lifetime: 0(s) validtime: 0(s)

spid=41321 seq=20 pid=20119

refcnt=2

128.181.yy.yy[any] 128.181.xx.xx[32] any

fwd prio def ipsec

esp/transport//require

created: Mar 1 09:09:55 2010 lastused:

lifetime: 0(s) validtime: 0(s)

spid=41314 seq=17 pid=20119

refcnt=1

128.181.yy.yy[any] 128.181.xx.xx[any] any

fwd prio def ipsec

esp/transport//require

ah/transport//require

created: Mar 1 09:10:06 2010 lastused:

lifetime: 0(s) validtime: 0(s)

spid=41338 seq=16 pid=20119

refcnt=1

(per-socket policy)

in none

created: Mar 1 09:10:07 2010 lastused: Mar 1 09:11:14 2010

lifetime: 0(s) validtime: 0(s)

spid=41363 seq=9 pid=20119

refcnt=1

(per-socket policy)

out none

created: Mar 1 09:10:07 2010 lastused: Mar 1 09:11:55 2010

lifetime: 0(s) validtime: 0(s)

spid=41372 seq=1 pid=20119

refcnt=1



>From the debug log:

2010-03-01 09:11:35: DEBUG: suitable inbound SP found:
128.181.yy.yy/32[0] 128.181.xx.xx/32[0] proto=any dir=in.

2010-03-01 09:11:35: DEBUG: new acquire 128.181.xx.xx/32[0]
128.181.yy.yy/32[0] proto=any dir=out

2010-03-01 09:11:35: DEBUG: anonymous sainfo selected.



2010-03-01 09:11:55: DEBUG: resend phase2 packet
3a93dfd2a4ab4ba2:bbf5e70baaff7c07:0000a9d9

2010-03-01 09:12:05: DEBUG: get pfkey EXPIRE message

2010-03-01 09:12:05: INFO: IPsec-SA expired: AH/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=249936532(0xee5ba94)

2010-03-01 09:12:05: WARNING: the expire message is received but the
handler has not been established.

2010-03-01 09:12:05: ERROR: 128.181.yy.yy give up to get IPsec-SA due to
time up to wait.

2010-03-01 09:12:05: DEBUG: an undead schedule has been deleted.

2010-03-01 09:12:05: DEBUG: get pfkey EXPIRE message

2010-03-01 09:12:05: INFO: IPsec-SA expired: ESP/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=15343223(0xea1e77)

2010-03-01 09:12:05: DEBUG: no such a SA found: ESP/Transport
128.181.yy.yy[0]->128.181.xx.xx[0] spi=15343223(0xea1e77)





On the windows side:



2010-03-01 12:22:08: DEBUG: pfkey UPDATE succeeded: ESP/Transport
128.181.ww.ww[0]->128.181.xx.xx[0] spi=101578039(0x60df537)

2010-03-01 12:22:08: INFO: IPsec-SA established: ESP/Transport
128.181.ww.ww[0]->128.181.xx.xx[0] spi=101578039(0x60df537)

Connection good.



After about 10 minutes or more:

2010-03-01 12:38:06: DEBUG: Cannot record event: event queue overflowed

2010-03-01 12:38:06: DEBUG: call pfkey_send_dump

2010-03-01 12:38:06: DEBUG: purged SAs.



ping 128.181.ww.ww

PING 128.181.ww.ww (128.181.ww.ww) 56(84) bytes of data.



--- 128.181.ww.ww ping statistics ---

4 packets transmitted, 0 received, 100% packet loss, time 2999ms



But from the windows server:

C:WINDOWS>ping 128.181.xx.xx



Pinging 128.181.xx.xx with 32 bytes of data:



Negotiating IP Security.

Reply from 128.181.xx.xx: bytes=32 time=1ms TTL=64

Reply from 128.181.xx.xx: bytes=32 time<1ms TTL=64

Reply from 128.181.xx.xx: bytes=32 time<1ms TTL=64



Ping statistics for 128.181.xx.xx:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 1ms, Average = 0ms



Thanks,

Peter Shulkin



--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
 

Thread Tools




All times are GMT. The time now is 01:44 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org