This turned out to be a typo/configuration error: mismatch in SA lifetime settings.
The typo was an extra zero: 288000
The Racoon Log message related to error this was:
racoon: WARNING: ignore RESPONDER-LIFETIME notification.
Everything is working great now.
Thanks again to all of you who develop m0n0/BSD and helped me with this problem.
-RH
Hello Forum,
We have m0n0Wall on a Celeron PC hosting 5 VPN tunnels over PPoE/aDSL/internet.
Tunnels are:
1) m0n0Wall/soekris 4501, IKE/Blowfish
2) m0n0Wall/Celeron PC, IKE/Blowfish
3) SonicWall, IKE/3DES
4) Cisco 3030 IKE/3DES
5) Cisco ASA IKE/3DES
The first four tunnels have been in service for about a year
and work perfectly. The last tunnel is new and has some
sort of traffic related problem that causes it to close.
This tunnel is used to connect to a DICOM server that stores
medical X-Ray records. When little or no traffic flows
the tunnel seems to work fine but when consecutive DICOM files are
pulled or pushed through the tunnel fails after about 50-100MB of traffic
and can't be reopened without restarting IPsec.
All the other tunnels and PPTP continue to operate normally.
If I go to the Diagnostic panel and remove the SA for the
failed tunnel Racoon will try to negociate a new SA but fails
with the following log messages:
racoon: INFO: initiate new phase 2 negotiation: 172.16.6.1[0]<=>66.177.85.90[0]
racoon: ERROR: 66.179.85.90 give up to get IPsec-SA due to time up to wait.
When the tunnel fails there are no messages from Racoon or any
other daemon to indicate a problem.
To date I have tried the following adjustments with no improvement:
-Change the m0n0Wall IPsec MTU to 1412, which is suggested by our ISP.
-Enable Fragmented Packet support on both the LAN and FW Rule for the tunnel.
-Update to beta version 1.3b11.
Questions:
Are there any helpful dump commands that I could execute via exec.php to help debug this?
Is it possible that something in the tunnel payload might be triggering this failure?
Does Racoon have any problem with cululative errors such as memory leaks?
So far we have been really happy with the performance of m0n0Wall and I hate to
give it up just for a Cisco ASA compatibility issue.
Thanks for looking at this post,
-Dave