[vpn-help] IPSEC Phase II problems.....

Adam.Staub at rascompanies.com Adam.Staub at rascompanies.com
Thu Mar 11 09:01:41 CST 2010 

Using PFsense  and the latest shrewsoft client to tunnel into my network
in a lab environment.  Running into a problem that I can't find a
solution for.  The tunnel is up but it keeps rekeying.  Here is a bit of
the log from the PFsense side. To generate traffic, I'm pinging from the
client side.

 

Mar 10 15:26:35 racoon: []: WARNING: attribute has been modified.

Mar 10 15:26:35 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=4390512(0x42fe70) 

Mar 10 15:26:35 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=2371876304(0x8d5ff5d0) 

Mar 10 15:26:57 racoon: []: INFO: initiate new phase 2 negotiation:
192.168.0.220[500]<=>192.168.0.118[500] 

Mar 10 15:26:57 racoon: []: WARNING: attribute has been modified. 

Mar 10 15:26:57 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=181435376(0xad07bf0) 

Mar 10 15:26:57 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=495471846(0x1d884ce6) Mar 10
15:27:19 racoon: []: INFO: initiate new phase 2 negotiation:
192.168.0.220[500]<=>192.168.0.118[500] 

Mar 10 15:27:19 racoon: []: WARNING: attribute has been modified. 

Mar 10 15:27:19 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=85353932(0x51665cc) 

Mar 10 15:27:19 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=540386023(0x2035a2e7) 

Mar 10 15:27:41 racoon: []: INFO: initiate new phase 2 negotiation:
192.168.0.220[500]<=>192.168.0.118[500] 

Mar 10 15:27:41 racoon: []: WARNING: attribute has been modified. 

Mar 10 15:27:41 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=85404461(0x5172b2d) 

Mar 10 15:27:41 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=690417644(0x2926efec) 

Mar 10 15:27:52 racoon: []: INFO: initiate new phase 2 negotiation:
192.168.0.220[500]<=>192.168.0.118[500] 

Mar 10 15:27:52 racoon: []: WARNING: attribute has been modified. 

Mar 10 15:27:52 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=219805043(0xd19f573) 

Mar 10 15:27:52 racoon: []: INFO: IPsec-SA established: ESP
192.168.0.220[500]->192.168.0.118[500] spi=2551290233(0x98119979) 

Mar 10 15:28:06 racoon: []: INFO: initiate new phase 2 negotiation:
192.168.0.220[500]<=>192.168.0.118[500] 

Mar 10 15:28:06 racoon: []: WARNING: attribute has been modified.

 

Here is my raccoon.conf.

path pre_shared_key "/var/etc/psk.txt";

path certificate  "/var/etc";

listen

{

       adminsock "/var/db/racoon/racoon.sock" "root" "wheel" 0660;

       isakmp 192.168.0.220 [500];

       isakmp_natt 192.168.0.220 [4500];

}

mode_cfg

{

       auth_source system;

       group_source system;

       pool_size 253;

       network4 192.168.116.1;

       netmask4 255.255.255.0;

       split_network include 206.42.152.0/24;

       dns4 206.42.152.10;

       banner "/var/etc/racoon.motd";

}

remote anonymous

{

       ph1id 1;

       exchange_mode aggressive;

       my_identifier keyid tag "riskadmin";

       peers_identifier keyid tag "riskadmin";

       ike_frag on;

       generate_policy = unique;

       initial_contact = off;

       nat_traversal = on;  

       dpd_delay = 10;

       dpd_maxfail = 5;

       support_proxy on;

       proposal_check claim;

       proposal

       {

              authentication_method xauth_psk_server;

              encryption_algorithm 3des;

              hash_algorithm sha1;

              dh_group 2;

              lifetime time 28800 secs;

       }

}                                  

sainfo subnet 206.42.152.0/24 any anonymous

{

       remoteid 1;

       encryption_algorithm 3des;

       authentication_algorithm hmac_sha1;       

       lifetime time 28800 secs;

       compression_algorithm deflate;

}

 

 

It looks like a new spi is being generated every 22 seconds.  Can
anybody tell me what is wrong?

 

Thanks,

 Adam

 


------------------------------------------------------------------------------Note: This E-mail and any attachments may be privileged and confidential and protected from disclosure. If the reader
 of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the 
 intended recipient, you are hereby notified that any disclosure, copying, distribution or use of this E-mail and any 
 attachments is strictly prohibited. If you have received this E-mail in error, please notify us immediately by returning it 
 to the sender  and deleting it from your computer system. Thank you for your cooperation.

==============================================================================
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20100311/f866411a/attachment-0001.html>

More information about the vpn-help mailing list