Advertisement

02.28.2008 at 08:46AM PST, ID: 23200885
[x]
Attachment Details

IPSec Renegotiating even though it's already conected

Asked by TTCLIVE in IPSec Security Protocol, Miscellaneous Networking, Virtual Private Networking (VPN)

Tags: , ,

I have a SnapGear SG550 at my main location doing IPSec tunnels for two remote loactions (for IP phones and network resources). The remote locations both have Linksys BEFSX41's and are configured with the same settings (excluding preshared secret and ip scheme - one is 192.168.1.0 and other is 192.168.2.0) to communicate with my SnapGear at my main location.

I have had one of the tunnels working fine now for a couple weeks and am adding the second tunnel with some issues. The second tunnel on the 192.168.1.0 ip  setup is connected and it says "Running" for the status, but it also says "Renegotiating Phase 1 and Renegotiating Phase 2" like it's trying to connect...but it's already connected!

I'm wondering how to get the tunnel to stop trying to connect to a connection it's already connected to.

Below is a part of the Log on the SnapGear that is showing what it's trying to do as well as my IPSEC config file showing my local settings for those tunnels.

***** Just so we don't get off on a tangent about my keylife time, I need to make sure the tunnel does not drp duting the day, so I have it set to 24 hours before it rekeys. The SnapGear keeps the tunnel open, but the Linksys seems to drop the tunel completely and renegotiate every time the key is renegotiated so this seems to be working as a workaround for that problem. *****Start Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:

Feb 28 09:36:53 Pluto[171]: (20080228T093653253) "Phx2WA" #2623: IPsec SA established
Feb 28 09:37:01 Pluto[171]: (20080228T093701078) "Phx2WA" #2621: next payload type of ISAKMP Identification Payload has an unknown value: 91
Feb 28 09:37:01 Pluto[171]: (20080228T093701081) "Phx2WA" #2621: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet 
Feb 28 09:37:20 Pluto[171]: (20080228T093720901) "Phx2WA" #2621: next payload type of ISAKMP Identification Payload has an unknown value: 188
Feb 28 09:37:20 Pluto[171]: (20080228T093720905) "Phx2WA" #2621: probable authentication failure (mismatch of preshared secrets?): malformed payload in packet
Feb 28 09:37:56 Pluto[171]: (20080228T093756913) "Phx2WA" #2620: max number of retransmissions (2) reached STATE_QUICK_I1
Feb 28 09:37:56 Pluto[171]: (20080228T093756915) "Phx2WA" #2620: starting keying attempt 768 of an unlimited number
Feb 28 09:37:56 Pluto[171]: (20080228T093757004) "Phx2WA" #2624: initiating Quick Mode PSK+ENCRYPT+TUNNEL to replace #2620
Feb 28 09:37:57 Pluto[171]: (20080228T093757077) "Phx2WA" #2622: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Feb 28 09:37:57 Pluto[171]: (20080228T093757078) "Phx2WA" #2622: Notification: Pid=3 SPIsz=4 Type=14 Val=p\036\243W\012
Feb 28 09:37:57 Pluto[171]: (20080228T093757079) "Phx2WA" #2622: received and ignored informational message
Feb 28 09:37:57 Pluto[171]: (20080228T093757342) "Phx2WA" #2625: responding to Main Mode
Feb 28 09:37:58 Pluto[171]: (20080228T093758994) "Phx2WA" #2625: sent MR3, ISAKMP SA established
Feb 28 09:37:59 Pluto[171]: (20080228T093759067) "Phx2WA" #2626: responding to Quick Mode
Feb 28 09:37:59 Pluto[171]: (20080228T093759185) "Phx2WA" #2626: IPsec SA established
___________________________________________________________________
 
config setup
	interfaces = %defaultroute
	X-enabled = yes
	klipsdebug = none
	plutodebug = none
	plutoload = %search
	plutostart = %search
	overridemtu = 1500
	manualstart = 
	uniqueids = yes
 
conn Phx2TX
	type = tunnel
	leftsubnet = 192.168.0.0/24
	rightsubnet = 192.168.2.0/24
	left = %defaultroute
	x-interface = %defaultroute
	right = DOMAINNAME*.gotdns.com
	auto = start
	keyexchange = ike
	authby = secret
	auth = esp
	pfs = no
	pfsgroup = MODP1024
	leftid = vpn@DOMAINNAME*.gotdns.com
	rightid = TEXAS_Linksys
	ike = "3DES-MD5-MODP768"
	esp = "3DES-SHA1"
	keyingtries = 0
	ikelifetime = 86400
	keylife = 86400
	rekeymargin = 600
	rekeyfuzz = 100%
	x-l2tpd = no
 
conn Phx2WA
	type = tunnel
	leftsubnet = 192.168.0.0/24
	rightsubnet = 192.168.1.0/24
	left = %defaultroute
	x-interface = %defaultroute
	right = DOMAINNAME*.gotdns.com
	auto = start
	keyexchange = ike
	authby = secret
	auth = esp
	pfs = no
	pfsgroup = MODP1024
	leftid = vpn@DOMAINNAME*.gotdns.com
	rightid = WA_Linksys
	ike = "3DES-MD5-MODP768"
	esp = "3DES-SHA1"
	keyingtries = 0
	ikelifetime = 86400
	keylife = 86400
	rekeymargin = 600
	rekeyfuzz = 100%
	x-l2tpd = no
[+][-]03.12.2008 at 11:49PM PDT, ID: 21113845

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 08:08AM PDT, ID: 21116947

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:32PM PDT, ID: 21119952

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:35PM PDT, ID: 21119988

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:36PM PDT, ID: 21120007

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:37PM PDT, ID: 21120021

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:40PM PDT, ID: 21120052

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:43PM PDT, ID: 21120085

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:45PM PDT, ID: 21120098

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: IPSec Security Protocol, Miscellaneous Networking, Virtual Private Networking (VPN)
Tags: Secure Computing and Linksys, SnapGear SG550 and BEFSX41, Snapgear at one location, Linksys at another.
Sign Up Now!
Solution Provided By: keith_alabaster
Participating Experts: 1
Solution Grade: B
 
 
[+][-]03.13.2008 at 12:52PM PDT, ID: 21120155

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 12:57PM PDT, ID: 21120207

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 01:02PM PDT, ID: 21120256

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 01:21PM PDT, ID: 21120444

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 01:59PM PDT, ID: 21120808

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 02:35PM PDT, ID: 21121128

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 03:07PM PDT, ID: 21121307

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 03:13PM PDT, ID: 21121344

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03.13.2008 at 03:35PM PDT, ID: 21121506

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03.14.2008 at 02:23PM PDT, ID: 21129698

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]04.11.2008 at 08:10AM PDT, ID: 21334974

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628