Hi all, I have a lot of VPN connections from all subsidiaries of my business (46 subsidiaries/46 tunnels exactly). At the matriz i have an CISCO ASA 5520 VPN concentrator. Over subsidiaries, i have a openbsd 4.1.
my ipsec.conf is: ------------------------------------------------------------------ ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \ peer Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk "SECRETKEY" flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z ------------------------------------------------------------------ My key lifetime (it works and is correct usage about ipsec.conf+isakmpd.conf): ------------------------------------------------------------------ [General] Default-phase-1-lifetime= 86400,60:86400 Default-phase-2-lifetime= 28800,60:86400 ------------------------------------------------------------------ Okey, all vpn comes up normally but.. the problem is: At random time, the tunnel turn down and dont come up again ! My /var/log/messages at the moment of blackout show this message: ------------------------------------------------------------------ "Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500" ------------------------------------------------------------------ Another message can be found at random moments is about "INVALID COOKIE(S)" The DPS functionality is configured in both ends, I believe this is not the problem. When the ADSL link falls for a few seconds this problem also occurs. PS.: 1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and 3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall script) over the subsidiaries and another openbsd 3.9 on the matriz and this problem never comes up. 2. I configured my CISCO ASA and its all okey. 3. My NAT and FIREWALL its OKEY. please it's a urgent request, thankz for all/any reply!