Site-to-site VPN using MD5 instead of SHA and getting regular disconnection
- by Steven
We are experiencing some strange behavior with a site-to-site IPsec VPN that goes down about every week for 30 minutes (Iam told 30 minutes exactly).
I don't have access to the logs, so it's difficult to troubleshoot.
What is also strange is that the two VPN devices are set to use SHA hash algorithm but apparently end up agreeing to use MD5.
Does anybody have a clue? or is this just insufficient information?
Edit:
Here is an extract of the log of one
of the two VPN devices, which is a
Cisco 3000 series VPN concentrator.
27981 03/08/2010 10:02:16.290 SEV=4
IKE/41 RPT=16120 xxxxxxxx IKE
Initiator: New Phase 1, Intf 2, IKE
Peer xxxxxxxx local Proxy Address
xxxxxxxx, remote Proxy Address
xxxxxxxx, SA (L2L: 1A)
27983 03/08/2010 10:02:56.930 SEV=4
IKE/41 RPT=16121 xxxxxxxx IKE
Initiator: New Phase 1, Intf 2, IKE
Peer xxxxxxxx local Proxy Address
xxxxxxxx, remote Proxy Address
xxxxxxxx, SA (L2L: 1A)
27986 03/08/2010 10:03:35.370 SEV=4
IKE/41 RPT=16122 xxxxxxxx IKE
Initiator: New Phase 1, Intf 2, IKE
Peer xxxxxxxx local Proxy Address
xxxxxxxx, remote Proxy Address
xxxxxxxx, SA (L2L: 1A)
[… same continues for another 15
minutes …]
28093 03/08/2010 10:19:46.710 SEV=4
IKE/41 RPT=16140 xxxxxxxx IKE
Initiator: New Phase 1, Intf 2, IKE
Peer xxxxxxxx local Proxy Address
xxxxxxxx, remote Proxy Address
xxxxxxxx, SA (L2L: 1A)
28096 03/08/2010 10:20:17.720 SEV=5
IKE/172 RPT=1291 xxxxxxxx Group
[xxxxxxxx] Automatic NAT Detection
Status: Remote end is NOT behind a
NAT device This end IS behind
a NAT device
28100 03/08/2010 10:20:17.820 SEV=3
IKE/134 RPT=79 xxxxxxxx Group
[xxxxxxxx] Mismatch: Configured
LAN-to-LAN proposal differs from
negotiated proposal. Verify local and
remote LAN-to-LAN connection lists.
28103 03/08/2010 10:20:17.820 SEV=4
IKE/119 RPT=1197 xxxxxxxx Group
[xxxxxxxx] PHASE 1 COMPLETED
28104 03/08/2010 10:20:17.820 SEV=4
AUTH/22 RPT=1031 xxxxxxxx User
[xxxxxxxx] Group [xxxxxxxx] connected,
Session Type: IPSec/LAN- to-LAN
28106 03/08/2010 10:20:17.820 SEV=4
AUTH/84 RPT=39 LAN-to-LAN tunnel to
headend device xxxxxxxx connected
28110 03/08/2010 10:20:17.920 SEV=5
IKE/25 RPT=1291 xxxxxxxx Group
[xxxxxxxx] Received remote Proxy Host
data in ID Payload: Address
xxxxxxxx, Protocol 0, Port 0
28113 03/08/2010 10:20:17.920 SEV=5
IKE/24 RPT=88 xxxxxxxx Group
[xxxxxxxx] Received local Proxy Host
data in ID Payload: Address
xxxxxxxx, Protocol 0, Port 0
28116 03/08/2010 10:20:17.920 SEV=5
IKE/66 RPT=1290 xxxxxxxx Group
[xxxxxxxx] IKE Remote Peer configured
for SA: L2L: 1A
28117 03/08/2010 10:20:17.930 SEV=5
IKE/25 RPT=1292 xxxxxxxx Group
[xxxxxxxx] Received remote Proxy Host
data in ID Payload: Address xxxxxxxx,
Protocol 0, Port 0
28120 03/08/2010 10:20:17.930 SEV=5
IKE/24 RPT=89 xxxxxxxx Group
[xxxxxxxx] Received local Proxy Host
data in ID Payload: Address xxxxxxxx,
Protocol 0, Port 0
28123 03/08/2010 10:20:17.930 SEV=5
IKE/66 RPT=1291 xxxxxxxx Group
[xxxxxxxx] IKE Remote Peer configured
for SA: L2L: 1A
28124 03/08/2010 10:20:18.070 SEV=4
IKE/173 RPT=17330 xxxxxxxx Group
[xxxxxxxx] NAT-Traversal successfully
negotiated! IPSec traffic will be
encapsulated to pass through NAT
devices.
28127 03/08/2010 10:20:18.070 SEV=4
IKE/49 RPT=17332 xxxxxxxx Group
[xxxxxxxx] Security negotiation
complete for LAN-to-LAN Group
(xxxxxxxx) Responder, Inbound SPI =
0x56a4fe5c, Outbound SPI = 0xcdfc3892
28130 03/08/2010 10:20:18.070 SEV=4
IKE/120 RPT=17332 xxxxxxxx Group
[xxxxxxxx] PHASE 2 COMPLETED
(msgid=37b3b298)
28131 03/08/2010 10:20:18.750 SEV=4
IKE/41 RPT=16141 xxxxxxxx Group
[xxxxxxxx] IKE Initiator: New Phase 2,
Intf 2, IKE Peer xxxxxxxx local Proxy
Address xxxxxxxx, remote Proxy Address
xxxxxxxx, SA (L2L: 1A)
28135 03/08/2010 10:20:18.870 SEV=4
IKE/173 RPT=17331 xxxxxxxx Group
[xxxxxxxx] NAT-Traversal successfully
negotiated! IPSec traffic will be
encapsulated to pass through NAT
devices.