hi there, maybe you can help me, i have read already that there do exist problems with a carp/pfsync firewall running the isakmpd on site A and another isakmpd (without firewall) on site B. when site A does a failover, the isakmpd on site B doesnt recognize it and because of invalid cookies respectively a no longer valid SA. isakmpd on site B has to be restarted (kill -HUP doesnt seem to be sufficient) in order to get the vpn-connection up again
so, as a quick workaround solution i found that the lifetime could be tweaked. im my case, i set it down to 30 minutes. hope that would help. as another solution i found a hint that isakmpd should be configured to restart when receiving an invalid cookie can anybody tell me how that configuration looks: letting isakmpd do a renegotiation when receiving an invalid cookie? TIA tobias -- [id] [EMAIL PROTECTED] [net place] www.tobias-walkowiak.de [gpg fingerprint] 02D4 BEF0 988A 7E32 8A16 A244 B2B6 0C2E 25B2 0A1E [message] ><> Jesus loves you <><
