CODEWITHSUNDEEP
linuxipsec
w00t
w00t

Reputation: 18281

IPSec tunnel between Cisco ASA and and Linux IPSec (racoon) stops working

I have a VPN concentrator VM that runs Linux 2.6.18 (RHEL version 2.6.18-274.12.1.el5) with ipsec-tools 0.7.3.

I have a bunch of connections to various concentrators, but there is one that keeps dying on me. The remote is a Cisco ASA.

Phase 1 and phase 2 come up correctly, and everything seems to go fine, but suddenly the remote stops responding. I can see ipsec packets going out but no responses coming back. DPD seems to be working fine up until that point (I see packets being sent every 10 seconds). This is not happening all the time either, sometimes it stays up for a long time.

On the remote, the tunnel is no longer active at that point, but racoon still thinks it has phase 1 + phase 2 going. Is there some message that an ASA sends that racoon ignores?

What I also don't understand is that the DPD logic doesn't kill the connection.

Here's my racoon.conf:

remote x.x.x.x {
                            exchange_mode main;
                            lifetime time 8 hours;
                            dpd_delay 10;

                            proposal {
                                    authentication_method pre_shared_key;
                                    encryption_algorithm aes 256;
                                    hash_algorithm sha1;
                                    dh_group 2;
                            }
                            proposal_check obey;
            }
sainfo subnet y.y.y.y/32[0] any subnet z.z.z.0/26 any {
                            pfs_group 2;
                            lifetime time 1 hour;
                            encryption_algorithm aes 256;
                            authentication_algorithm hmac_sha1;
                            compression_algorithm deflate;
                    }

Upvotes: 1

Views: 1931

Answers (1)

Noah
Noah

Reputation: 1081

It's been a while since this was asked, but you might try newer versions of ipsec-tools. There have been a number of protocol interop fixes in newer versions. Also, double check that your parameters match the ASA, particularly regarding the various lifetime settings. I've also had good success with "rekey force" in racoon's "remote" sections. Here are the relevant config sections I use for interoperating with ASAs:

remote w.x.y.z
{
    exchange_mode main;
    lifetime time 28800 seconds;
    proposal_check obey;
    rekey force;
    proposal {
     encryption_algorithm aes 256;
     hash_algorithm sha1;
     authentication_method pre_shared_key;
     dh_group 2;
    }
}

sainfo subnet a.b.c.d/n any subnet e.f.g.h/n any
{
    lifetime time 1 hour ;
    encryption_algorithm aes 256;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate ;
}

Upvotes: 1

Related Questions