2

In my setup I have some EC2 instances in different regions linked by GRE tunnels, using ISAKMP via racoon. This setup is inherited, so bear with me if I fumble with terminology.

Sometimes I get weird output from racoonctl -ll show-sa isakmp (pardon my redacted IP addresses) in which the Phase2 count is 3 but I expected it to be 1 or 2:

$ sudo racoonctl -ll show-sa isakmp
Source                                        Destination                                   Cookies                           ST S  V E Created             Phase2
AA.BB.CC.DDD.4500                             EE.FF.III.PP.4500                             4fcb2a5a2193f76d:29345905dad89534  9 I 10 M 2016-01-28 15:30:35      3
AA.BB.CC.DDD.4500                             EE.GG.JJ.QQQ.4500                             75aedcf490649ee5:a08192401adc99c4  9 I 10 M 2016-01-28 15:30:35      3
AA.BB.CC.DDD.4500                             EE.HH.KKK.RRR.4500                            db698ca0fa4b2ef6:95260abcfb7e3578  9 R 10 M 2016-01-28 15:30:35      2
AA.BB.CC.DDD.4500                             EE.GG.LLL.SS.4500                             20bccfd70bff99ee:ddc8517f524cf146  9 R 10 M 2016-01-28 15:30:35      2
AA.BB.CC.DDD.4500                             EE.HH.OOO.TTT.4500                            9ebadf03ed3b0042:ff890371f579df46  9 I 10 M 2016-01-28 15:30:35      1

I find this weird because I thought I would only see two Phase2 negotiations if I was listening on just these two ports in /etc/racoon/racoon.conf:

listen {
  isakmp      <local_public_subnet_ip> [500];
  isakmp_natt <local_public_subnet_ip> [4500];
}

If one restarts racoon in this state, the counts to go back to 2.

So, although there are probably many potential causes, what could cause this kind of behavior? It's excruciatingly hard to reproduce but I'd be glad to offer any relevant information to debug it.

2rs2ts
  • 325
  • 3
  • 11

0 Answers0