On Tue, Jul 06, 2010 at 04:47:37AM -0700, Pier wrote: > I'm having some problems with ipsec. > The connections are running, but when the line goes down the vpn is not coming back again. > If i see the logs, i see these errors: > > 2010-07-06 13:23:22: ERROR: fatal INVALID-SPI notify messsage, phase1 should be deleted. Configuring racoon is something of a black art, it seems. I've been using it for several years and still try to avoid touching it at all costs. I suspect in this case that you don't actually need to restart racoon, but instead just need to delete the SAs. You could do this with the "delete" or "deleteall" command in setkey, or you could do it by using a shorter timeout in your racoon config. > lifetime time 96 hour ; I use 30 minutes here. So this way, if the connection is severed, the longest I need to wait for it to come back in 30 minutes. Conceivably you could so something a little more pro-active, where you delete your existing SAs when you detect that there's some kind of connectivity problem with the other end. If there's a mailing list for racoon, it might be worth asking your question there. I'd be curious to know if there's a preferred solution than the one I've been using. noah
Attachment:
signature.asc
Description: Digital signature