Sebastian Reitenbach wrote:
Hi,
I setup a tunnel between a pix and an openbsd isakmpd to
connect two networks behind each tunnel endpoint.
pinging through the tunnel from both sides works, for
the first 15 minutes. then the ping stops working.
When I recreate the tunnel, then the ping starts to
work again. I start isakmpd with isakmpd -k and I use
ipsecctl to activate the tunnel.
To work around the problem I added dead peer detection
to the isakmpd.conf file. It checks every 10 seconds for a
dead peer, this detects that the tunnel is not in a good
state, and restarts it. I also found in an old howto that
I have to create a policy file, that says that the OpenBSD
box is the initiator of the tunnel.
I have not found a way to prevent the tunnel to go into
that bad state. I think I have a problem with rekeying.
In my eyes activating the DPD is only a
working on the symptoms, so I assume there must be a better
way to "fix" the problem.
here my isakmpd.conf file:
[General]
Listen-on=131.103.56.171
Default-phase-1-lifetime= 28800,60:86400
Default-phase-2-lifetime= 1200,60:86400
DPD-check-interval= 10
Policy-File= /etc/isakmpd/isakmpd.policy
and here my ipsecctl.conf file:
ike active esp from 192.168.0.0/24 to 10.1.0.0/24 \
local $my_gw peer $remote_gw \
main auth hmac-md5 enc 3des group grp2 \
quick auth hmac-md5 enc aes group none \
psk "MyTopSecretKey"
any idea what I can try to prevent the tunnel stop working?
kind regards
Sebastian
It will be helpful, if you can give the corresponding PIX configuration as well.
your ipsecctl.conf seems to be good! Can you give us the output of ipsecctl -vv
-sa and tail -f /var/log/{daemon, messages}
Prabhu
-
