IPSEC VPN phase 1 renegotiation

shyams — Tue, 05 Nov 2013 03:12:29 GMT

Hello

I am facing packet drops whenever the phase 1 re-negotiates. The SA gets expired and deleted but it takes 20 minutes for it to start the P1 phase again. In that period the traffic times out until the P1 starts again after 20 minutes. Below are the logs. I have replaced our gateway address with xx.xx.xx.xx

2013-11-05 10:24:02 [INFO]: ====> PHASE-1 SA LIFETIME EXPIRED <====

====> Expired SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:cf98f03c954db3ed:53951433f27d287ci <====

2013-11-05 10:24:02 [INFO]: ====> PHASE-1 SA DELETED <====

====> Deleted SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:cf98f03c954db3ed:53951433f27d287ci <====

2013-11-05 10:43:59 [INFO]: IPsec-SA request for 211.13.205.150 queued since no phase1 found

2013-11-05 10:43:59 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

====> Initiated SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:a6f4545850bdaa6c:0000000000000000 <====

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS INITIATOR, MAIN MODE <====

====> Established SA: xx.xx.xx.xx[500]-211.13.205.150[500] cookie:a6f4545850bdaa6c:c8f5e6db76ec5d46 lifetime 6400 Sec <====

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION STARTED AS INITIATOR, (QUICK MODE) <====

====> Initiated SA: xx.xx.xx.xx[500]-211.13.205.150[500] message id:0xB0FD55D5 <====

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> PHASE-2 NEGOTIATION SUCCEEDED AS INITIATOR, (QUICK MODE) <====

====> Established SA: xx.xx.xx.xx[500]-211.13.205.150[500] message id:0xB0FD55D5, SPI:0x9AD00707/0x0F93DFE1 <====

2013-11-05 10:44:00 [INFO]: SADB_UPDATE ul_proto=255 src=211.13.205.150[500] dst=xx.xx.xx.xx[500] satype=ESP samode=tunl spi=0x9AD00707 authtype=MD5 enctype=NULL_ENC lifetime soft time=6400 bytes=0 hard time=6400 bytes=0

2013-11-05 10:44:00 [INFO]: SADB_ADD ul_proto=255 src=xx.xx.xx.xx[500] dst=211.13.205.150[500] satype=ESP samode=tunl spi=0x0F93DFE1 authtype=MD5 enctype=NULL_ENC lifetime soft time=6400 bytes=0 hard time=6400 bytes=0

2013-11-05 10:44:00 [INFO]: IPsec-SA established: ESP/Tunnel 211.13.205.150[500]->xx.xx.xx.xx[500] spi=2597324551(0x9ad00707)

2013-11-05 10:44:00 [PROTO_NOTIFY]: ====> IPSEC KEY INSTALLATION SUCCEEDED <====

====> Installed SA: xx.xx.xx.xx[500]-211.13.205.150[500] SPI:0x9AD00707/0x0F93DFE1 lifetime 6400 Sec lifesize unlimited <====

Thanks

Shyam

Re: IPSEC VPN phase 1 renegotiation

HULK — Wed, 06 Nov 2013 02:51:55 GMT

Hello Shyam,

As per the log messages

10:24:02 -------- we received the phase-I delete message --------- > [INFO]: ====> PHASE-1 SA DELETED <====

10:43:59 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION STARTED AS INITIATOR, MAIN MODE <====

After 20 minutes we got the Phase-I negotiation messages and PAN were acting as an initiator.

Could you please set the PAN device as a responder ( passive mode) and let me know if that makes any difference.

FYI..

Thanks

Re: IPSEC VPN phase 1 renegotiation

shyams — Wed, 06 Nov 2013 04:03:58 GMT

Hello Hulk

Thanks for the response.

I enabled passive setting and was getting packet drops. It was working before I enabled the passive setting. I removed the setting and the pings are working now again. But I am sure the packet with drop once the renegotiation starts

Thanks

Shyam

topic Re: IPSEC VPN phase 1 renegotiation in General Topics

IPSEC VPN phase 1 renegotiation

Re: IPSEC VPN phase 1 renegotiation

Re: IPSEC VPN phase 1 renegotiation