Hi, IPSEC.CONF(5) says tell about ike dynamic: "The dynamic mode will additionally enable Dead Peer Detection (DPD)"
In your ipsec.conf I see "aggressive auth", but the manual says nothing about. It doesn't work for me. Regards, Andrea [EMAIL PROTECTED] wrote: ----- >To: <misc@openbsd.org> >From: "Chris Jones" <[EMAIL PROTECTED]> >Sent by: [EMAIL PROTECTED] >Date: 07/12/2006 12:55AM >Subject: Re: VPN stability issues with a Fortigate peer > >Looks like DPD might be causing some issues so I have tried disabling >it >on the Fortigate peer, however when looking at the debug messages on >the >peer I can see that it detects DPD v2 and continues to send DPD >messages. Is there a way to disable DPD using ipsecctl so that the >peer >does not detect it? > >Incase you are interested the peer is a Fortigate 300A running >version >3.00 build 400. > >Thanks, >-Chris > >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] >> Sent: December 6, 2006 9:54 AM >> To: Chris Jones >> Cc: misc@openbsd.org >> Subject: Re: VPN stability issues with a Fortigate peer >> >> Hi, >> try to disable DPD. >> I have a tunnel between OpenBSD 4.0 and Fortigate 300A >> 3.00MR3 and it doesn't work well with DPD enabled. >> >> Regards, >> Andrea. >> >> [EMAIL PROTECTED] wrote: ----- >> >> >> To: <misc@openbsd.org> >> From: "Chris Jones" <[EMAIL PROTECTED]> >> Sent by: [EMAIL PROTECTED] >> Date: 06/12/2006 04:35PM >> Subject: VPN stability issues with a Fortigate peer >> >> I'm running the release version or OpenBSD 4.0 on my firewall >> and experiencing some odd IPSEC VPN behavior when connecting >> to a Fortigate peer. The tunnel will come up just fine but >> will randomly go down and then come back up and will continue >> this cycle. I am running isakmpd with the -K option and using >> ipsecctl to establish flows and SA's. This is what my >> ipsec.conf looks like: >> >> remote_gw = "10.1.1.1" >> >> flow esp from 192.168.8.1/32 to 192.168.0.0/16 peer >> $remote_gw type bypass >> >> ike dynamic esp from 192.168.8.0/24 to 192.168.0.0/16 peer >> $remote_gw \ >> aggressive auth hmac-sha1 enc 3des group modp1536 \ >> quick auth hmac-sha1 enc 3des group modp1536 \ >> srcid [EMAIL PROTECTED] \ >> psk sharedsecret >> >> The peer is DPD capable and enabled with the following settings: >> >> retry-count: 3 >> retry-interval: 5 >> >> After running isakmpd in debug mode (isakmpd -d -DA=50 -K) >> and after running ipsecctl I issued a continuous ping to one >> of the hosts at the other side of the tunnel. The ping ran >> fine for a period of time andthen stopped. Here is the ouput >> from the debug: