Hi all,
I have a lot of VPN connections from all subsidiaries of my business (46
subsidiaries/46 tunnels exactly).
At the matriz i have an CISCO ASA 5520 VPN concentrator.
Over subsidiaries, i have a openbsd 4.1.
my ipsec.conf is:
------------------------------------------------------------------
ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \
peer Z \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk "SECRETKEY"
flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z
------------------------------------------------------------------
My key lifetime (it works and is correct usage about
ipsec.conf+isakmpd.conf):
------------------------------------------------------------------
[General]
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
------------------------------------------------------------------
Okey, all vpn comes up normally but.. the problem is:
At random time, the tunnel turn down and dont come up again !
My /var/log/messages at the moment of blackout show this message:
------------------------------------------------------------------
"Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on
exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500"
------------------------------------------------------------------
Another message can be found at random moments is about "INVALID COOKIE(S)"
The DPS functionality is configured in both ends, I believe this is not the
problem.
When the ADSL link falls for a few seconds this problem also occurs.
PS.:
1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and
3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall
script) over the subsidiaries and another openbsd 3.9 on the matriz and this
problem never comes up.
2. I configured my CISCO ASA and its all okey.
3. My NAT and FIREWALL its OKEY.
please it's a urgent request, thankz for all/any reply!
