Hello,
I have isakmpd setup talking to about 15 IKE peers and doing about 100
Phase 2 SA's. However, frequently I will attempt to initiate traffic over
one of the tunnels and will not get any response.
If I issue a command to the FIFO like so : echo S > /tmp/isakmpd.fifo
and then view the state of the SA's in /var/run/isakmpd.result They show
existing Phase 1 and 2 SA's with lifetime's set counting away.
If I do: netstat -rnfencap I see existing esp flows for the SA's.
When I watch tcpdump -i enc0 I see traffic going out, but not coming back.
Now, if I do a pkill -TERM isakmpd; isakmpd -v -f /tmp/isakmpd.fifo -DA=10
to restart the daemon then I can connect over all the tunnels okay again.
I believe that some of the remote VPN concentrators have a timeout where
they drop the tunnel if it doesn't have any traffic coming over it for a
period of time. Whereas isakmpd simply continues to think the tunnel is
up just fine and waits until the end of it's SA's lifetime to attempt
rekeying the connection. This leaves intermittent periods of not being
able to connect across these tunnels.
Is there anything that can be done to detect this and remedy it? Is there
a way to only bring up the tunnels when traffic is destined for an IP
address on the other side rather than rekey and keep it up all the time?
How are other people dealing with this issue. I am talking to Cisco3000
series, Checkpoint-VPN1, Watchguard, and Nortel Contivity concentrators.
The problem doesn't seem to be specific to a certain one.
Thanks for any ideas or info,
I am running OpenBSD3.9-current
-Matt-
