<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: PKCIPE will not reconnect
From: "Brett Johnson" <mlcipe,AT,k50,DOT,net>
Date: Thu, 23 Jan 2003 03:34:15 +0100

(COUGH COUGH someone may find this a little bit helpful in setting up pkcipe 
COUGH GASP)

I've been having this problem off and on for awhile, but it's now causing 
enough problems to be moved up my priority list.  I've dug through the 
mailing list archives but didn't seem to find anything related to this 
problem.

I have a few firewalls I do CIPE VPN's between using PKCIPE for all the 
connection stuff.

I run Red Hat 7.3 and 8.0 boxes.  I compile the kernel from kernel.org.  On 
each box I've removed the RH cipe*.rpm and have compiled cipe-1.5.4.  To be 
clear, I stay away from Red Hat kernels and the old version of CIPE they 
never seem to upgrade.

My 2 systems currently being used for trying to fix this problem:

"chihuahua.net.k90.dynamic.dhcp" is my RH80 box with kernel 2.4.20.
I have an internal DHCP server with DDNS set up on this box for my LAN.  
That's why the name is so long.
Real Internet IP is 65.71.225.187
Internal IP is 192.168.25.1
This box is the PKCIPE "client".

"confidence.k50.net" is my RH73 box with kernel 2.4.18.
Real Internet IP is 65.172.141.2
Internal IP is 172.16.1.2
This box is the PKCIPE "server".

When the VPNs are up and running they work great.  I do not believe this is a 
configuration issue on my side...otherwise I'd never have gotten the first 
VPN running to begin with.

Sometimes one of those VPN's will die off for various reasons (usually death 
by ISP).  Sometimes I can reconnect it using PKCIPE, most of the time I 
cannot.  I've tried many different things, but I haven't been able to really 
find the source of the problem.

Usually I will do a reconnect the brutal way...on each box I'll clean up by:
ps axw | grep cipe
kill cipe pids
ps axw | grep ping
kill any pings laying around
rm /var/run/cipe/*
rmmod cipcb
modprobe cipcb
sometimes I'll restart xinetd just for the fun of it.
"ifconfig cipcb* down" is pointless as the interface is already gone by this 
point (if it wasn't gone already)

Now, *in theory*, this should hard reset both boxes and make them clean for a 
new connection, right? (as in I'm troubleshooting and totally starting the 
connection process over).

All keys used with pkcipe are chmod 400 and owned by root.

Key/Profile on chihuahua:  /etc/cipe/pk/confidence.k50.net
-----BEGIN PUBLIC KEY-----
<4 lines cut>
-----END PUBLIC KEY-----
ipaddr 192.168.25.9
ptpaddr 172.16.1.248
maxerr 4
ping 12
toping 5

Key/Profile on confidence:  /etc/cipe/pk/chihuahua.net.k90.dynamic.dhcp
-----BEGIN PUBLIC KEY-----
<4 lines cut>
-----END PUBLIC KEY-----
ipaddr 172.16.1.248
ptpaddr 192.168.25.9
maxerr 4
ping 12
toping 5

The public keys cut out do match the identity file of the peer machines (this 
config has worked before).


<< | Thread Index | >> ]    [ << | Date Index | >> ]