Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange
We've got similar problems about a year ago, when we deployed a massive installation of vpn/ipsec clients based on isakmpd. When testing the client robustness to a series of events, like physically disconnecting network cables, simulating power failures and such, we saw the same pattern. Our solution was to use an external program to send simple icmp packets to our internal network and restart isakmpd once detecting the tunnel is down. A web search has showed us that tunnel recreation is complex and frequently involves non-standard implemmentations. Sometimes, this process fails and it should be considered an external watchdog to be on the safe side. So we cooked an in-house solution using monit to restart isakmpd in case of failure. Obviously you'll need to define a simple set of rules to classify a connection as failed. snip Okey, all vpn comes up normally but.. the problem is: At random time, the tunnel turn down and dont come up again ! snip
OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange
Hi all, I have a lot of VPN connections from all subsidiaries of my business (46 subsidiaries/46 tunnels exactly). At the matriz i have an CISCO ASA 5520 VPN concentrator. Over subsidiaries, i have a openbsd 4.1. my ipsec.conf is: -- ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \ peer Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk SECRETKEY flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z -- My key lifetime (it works and is correct usage about ipsec.conf+isakmpd.conf): -- [General] Default-phase-1-lifetime= 86400,60:86400 Default-phase-2-lifetime= 28800,60:86400 -- Okey, all vpn comes up normally but.. the problem is: At random time, the tunnel turn down and dont come up again ! My /var/log/messages at the moment of blackout show this message: -- Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500 -- Another message can be found at random moments is about INVALID COOKIE(S) The DPS functionality is configured in both ends, I believe this is not the problem. When the ADSL link falls for a few seconds this problem also occurs. PS.: 1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and 3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall script) over the subsidiaries and another openbsd 3.9 on the matriz and this problem never comes up. 2. I configured my CISCO ASA and its all okey. 3. My NAT and FIREWALL its OKEY. please it's a urgent request, thankz for all/any reply! thankz.
OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange
Hi all, I have a lot of VPN connections from all subsidiaries of my business (46 subsidiaries/46 tunnels exactly). At the matriz i have an CISCO ASA 5520 VPN concentrator. Over subsidiaries, i have a openbsd 4.1. my ipsec.conf is: -- ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \ peer Z \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des group none \ psk SECRETKEY flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z -- My key lifetime (it works and is correct usage about ipsec.conf+isakmpd.conf): -- [General] Default-phase-1-lifetime= 86400,60:86400 Default-phase-2-lifetime= 28800,60:86400 -- Okey, all vpn comes up normally but.. the problem is: At random time, the tunnel turn down and dont come up again ! My /var/log/messages at the moment of blackout show this message: -- Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500 -- Another message can be found at random moments is about INVALID COOKIE(S) The DPS functionality is configured in both ends, I believe this is not the problem. When the ADSL link falls for a few seconds this problem also occurs. PS.: 1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and 3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall script) over the subsidiaries and another openbsd 3.9 on the matriz and this problem never comes up. 2. I configured my CISCO ASA and its all okey. 3. My NAT and FIREWALL its OKEY. please it's a urgent request, thankz for all/any reply!