Re: [pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back

2012-01-04 Thread Wade Blackwell 
Chris good morning,
   Yes it was 3600 on the m0n0. I changed it to 5000 for phases 1/2 on
both sides to see if that makes a difference. My understanding is that the
smaller lifetime in phases 1/2 would be negotiated by Isakmp and thus not
an issue to have different values on each end or one blank?

-W

On Tue, Jan 3, 2012 at 11:12 PM, Chris Buechler  wrote:

> On Tue, Jan 3, 2012 at 8:02 PM, Wade Blackwell  wrote:
> > Good evening all,
> > I have an IPsec tunnel between a M0n0wall (1.33) and a pair of
> > virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen
> this
> > issue in an IPsec implementation before. Short history, before I went to
> a
> > virtualized pair of PF boxes running CARP this tunnel would stay up for
> .5
> > to a couple days. Once I changed to the CAP/VM setup about an hour is
> all I
> > get. To bring the tunnel back up all I have to do is go into the m0n0 and
> > change phase 1 to another setting and change it back to the original
> setting
> > and the tunnel comes back for an hour. I can also change any Phase 1
> setting
> > on both ends and the tunnel comes up, again only for about an hour.
> Anyone
> > seen anything like this?
> >
>
> My first guess is 3600 is your lifetime on phase 2? And maybe it's not
> the same on both sides? That's one common cause. Not enough info there
> to tell you  much more, check the SAs on both sides and see how those
> match up. Logs could be telling if there are any.
> ___
> List mailing list
> List@lists.pfsense.org
> http://lists.pfsense.org/mailman/listinfo/list
>



-- 
Wade Blackwell
C - 805.400.8485
D - 805.457.8825
S - CoC.WadeBlackwell
www.upcycle-consulting.com
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back

2012-01-03 Thread Chris Buechler 
On Tue, Jan 3, 2012 at 8:02 PM, Wade Blackwell  wrote:
> Good evening all,
>     I have an IPsec tunnel between a M0n0wall (1.33) and a pair of
> virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen this
> issue in an IPsec implementation before. Short history, before I went to a
> virtualized pair of PF boxes running CARP this tunnel would stay up for .5
> to a couple days. Once I changed to the CAP/VM setup about an hour is all I
> get. To bring the tunnel back up all I have to do is go into the m0n0 and
> change phase 1 to another setting and change it back to the original setting
> and the tunnel comes back for an hour. I can also change any Phase 1 setting
> on both ends and the tunnel comes up, again only for about an hour. Anyone
> seen anything like this?
>

My first guess is 3600 is your lifetime on phase 2? And maybe it's not
the same on both sides? That's one common cause. Not enough info there
to tell you  much more, check the SAs on both sides and see how those
match up. Logs could be telling if there are any.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] M0n0wall to PFsense IPsec Tunnel drops every hour, Phase1 config change brings it back

2012-01-03 Thread Wade Blackwell 
Good evening all,
I have an IPsec tunnel between a M0n0wall (1.33) and a pair of
virtualized PFsense boxen running 2.0-RELEASE (amd64). I've never seen this
issue in an IPsec implementation before. Short history, before I went to a
virtualized pair of PF boxes running CARP this tunnel would stay up for .5
to a couple days. Once I changed to the CAP/VM setup about an hour is all I
get. To bring the tunnel back up all I have to do is go into the m0n0 and
change phase 1 to another setting and change it back to the original
setting and the tunnel comes back for an hour. I can also change any Phase
1 setting on both ends and the tunnel comes up, again only for about an
hour. Anyone seen anything like this?

-- 
Wade Blackwell
Cell  - 805.400.8485
Desk  - 805.457.8825 X998
Skype - CoC.WadeBlackwell

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list