1. Home
  2. Cisco Systems
  3. freeswan 1.91 and ASA problem

freeswan 1.91 and ASA problem

Hi

I have problem with ipsec tunnel L2L between Freeswan and ASA. The tunnel disconnect yourself after 15-20 min. When I restart tunnel on Freeswan side tunnel connect again

In my syslog i get error like this:

Keep-alives configured on but peer does not support keep-alives (type = None)

QM FSM error construct_ipsec_delete(): No SPI to identify Phase 2 SA! Removing peer from correlator table failed, no match!

I configured key lifetime 86400s on the both side but when i make: sh crypto isakmp sa detail | include Life Auth : preshared Lifetime: 3600 Lifetime Remaining: 3228

I have only 3600s...why ???

ASA config:

crypto ipsec transform-set wwa_interia_pl esp-3des esp-sha-hmac crypto dynamic-map DYN_MAP_VPN_1 10 set transform-set tunel crypto dynamic-map DYN_MAP_VPN_1 10 set security-association lifetime seconds 288000 crypto dynamic-map DYN_MAP_VPN_1 10 set reverse-route crypto map outside_map 20 match address www_xxx crypto map outside_map 20 set peer 81.81.81.130 crypto map outside_map 20 set transform-set www_xxx crypto map outside_map 100 ipsec-isakmp dynamic DYN_MAP_VPN_1 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 86400

tunnel-group 10.10.10.10 type ipsec-l2l tunnel-group 10.10.10.10 ipsec-attributes pre-shared-key *

access-list www_xxx; 1 elements access-list www_xxx line 1 extended permit icmp 10.11.0.0 255.255.0.0

10.200.200.0 255.255.255.0

freeswan 1.91 config:

config setup interfaces=%defaultroute plutodebug=none klipsdebug=none plutoload=%search plutostart=%search uniqueids=yes overridemtu=1364

type=tunnel authby=secret left=80.80.80.2 leftsubnet=10.11.0.0/16 leftnexthop= right=81.81.81.130 rightsubnet=10.200.200.0/24 rightnexthop=81.81.81.129 keyingtries=0 keylife=24h auto=add keyexchange=ike pfs=no auth=esp #ike=3des-sha-modp1024 esp=3des-sha1

on the ASA: sh crypto isakmp sa detail

IKE Peer: 81.81.81.130 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : SHA Auth : preshared Lifetime: 3600 Lifetime Remaining: 3304

thanks for any help

Ted

Reply to
ted
Loading thread data ...

I do not see anything referencing the SA time in the freeswan config, perhaps it is creating the tunnel, and freeswan is making the default SA time 3600?

Reply to
artie lange

IMHO i have the same time settings on ASA and linux

In ASA i have:

crypto ipsec transform-set www_xxx esp-3des esp-sha-hmac crypto dynamic-map DYN_MAP_VPN_1 10 set transform-set tunel crypto dynamic-map DYN_MAP_VPN_1 10 set security-association lifetime seconds 288000 crypto dynamic-map DYN_MAP_VPN_1 10 set reverse-route crypto map outside_map 20 match address www_xxx crypto map outside_map 20 set peer 10.10.10.10 crypto map outside_map 20 set security-association lifetime seconds 86400 crypto map outside_map 20 set transform-set www_xxx crypto map outside_map 100 ipsec-isakmp dynamic DYN_MAP_VPN_1 crypto map outside_map interface outside crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha group 2 lifetime 28800

In freeswan:

keyingtries=0 ikelifetime=28800 keylife=24h keyexchange=ike spibase=0x200 pfs=no auth=esp

freeswan logs:

000 "www_xxx": 000 "wwa-cisco_vpn_asa": ike_life: 28800s; ipsec_life: 86400s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 policy: PSK+ENCRYPT+TUNNEL; interface: eth2; erouted newest ISAKMP SA: #8036; newest IPsec SA: #8037; eroute owner: #8037

Thank You for any help or clue Ted

Reply to
ted

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.