Both side are now 5.0-current, so this fix is already there. However, tunnel timeout is still there. In logs is see that almost exactly 3h later after tunnel is established it dies. I see FLOW is still there, bud SAD is empty, then I run "ipsecctl -s all".
According to the manpage, less than 3h is a default time for re-keying. I'm not sending that much traffic over the tunnel yet, so the traffic amount is not even near the default amount for re-keying. (Reminder: 10.1.1.1 - is an ext IP for home GW, 20.1.1.1 - CARP IP at the office GW, 20.1.1.2 - ext IP at the office GW1 20.1.1.3 - ext IP at the office GW2) NOTE: I dont have any other IKE-rules right now on none of those GW. Following I see on the home-gw: Oct 15 23:47:32 fw1 iked[8578]: sa_state: VALID -> ESTABLISHED from 20.1.1.2:59973 to 10.1.1.1:500 policy 'home_to_office' Oct 16 02:27:57 fw1 iked[8578]: ikev2_msg_send: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:59973, 240 bytes Oct 16 02:27:58 fw1 iked[8578]: ikev2_recv: CREATE_CHILD_SA from responder 20.1.1.2:55932 to 10.1.1.1:500 policy 'home_to_office', 240 bytes Oct 16 02:27:58 fw1 iked[8578]: ikev2_msg_send: INFORMATIONAL from 10.1.1.1:500 to 20.1.1.2:55932, 80 bytes Oct 16 02:27:58 fw1 iked[8578]: ikev2_recv: INFORMATIONAL from responder 20.1.1.2:55932 to 10.1.1.1:500 policy 'home_to_office', 80 bytes Oct 16 02:30:47 fw1 iked[8578]: ikev2_recv: CREATE_CHILD_SA from responder 20.1.1.2:55595 to 10.1.1.1:500 policy 'home_to_office', 240 bytes Oct 16 02:33:50 fw1 iked[8578]: ikev2_msg_send: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:59973, 240 bytes At the office: Oct 15 23:47:32 fw1 iked[16378]: sa_state: VALID -> ESTABLISHED from 10.1.1.1:500 to 20.1.1.2:500 policy 'mxb_to_office' Oct 16 02:27:58 fw1 iked[16378]: ikev2_msg_send: CREATE_CHILD_SA from 20.1.1.2:500 to 10.1.1.1:500, 240 bytes Oct 16 02:27:58 fw1 iked[16378]: ikev2_recv: INFORMATIONAL from initiator 10.1.1.1:500 to 20.1.1.2:500 policy 'mxb_to_office', 80 bytes Oct 16 02:27:58 fw1 iked[16378]: ikev2_pld_delete: deleted 1 spis Oct 16 02:27:58 fw1 iked[16378]: ikev2_msg_send: INFORMATIONAL from 20.1.1.2:500 to 10.1.1.1:500, 80 bytes Oct 16 02:30:47 fw1 iked[16378]: ikev2_msg_send: CREATE_CHILD_SA from 20.1.1.2:500 to 10.1.1.1:500, 240 bytes At this time it looks like I lose my tunnel. Trying to ping remote network produces Oct 16 13:08:11 fw1 iked[8578]: ikev2_msg_send: CREATE_CHILD_SA from 10.1.1.1:500 to 20.1.1.2:55932, 240 bytes But this only seen on the home GW. //maxim On Oct 15, 2011, at 1:03 PM, Joosep wrote: > On Sat, Oct 15, 2011 at 12:13 PM, Maxim Bourmistrov > <[email protected]>wrote: > >> Thanks for your replay, Trevor! >> >> Yes, indeed, PF was the case here. >> Except "pass on enc0 from any to any keep state (if-bound)", I also decided >> to >> pass all ESP traffic. >> >> Tunnel, however, sometimes times out. Not sure about the reason for this >> yet. >> >> //maxim >> >> Hi! > > There is a patch for 4.8 and 4.9 that probably fixes your timeouts problem. > Please read this thread: > http://marc.info/?l=openbsd-misc&m=130959664208980&w=2 > It's not a critical bugfix, so it's not on the errata page, but it is in the > cvs. > > Joosep
