Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

2007-12-06 Thread Marcus Andree 
We've got similar problems about a year ago, when we deployed a
massive installation of vpn/ipsec clients based on isakmpd.

When testing the client robustness to a series of events, like physically
disconnecting network cables, simulating power failures and such, we
saw the same pattern.

Our solution was to use an external program to send simple icmp
packets to our internal network and restart isakmpd once detecting
the tunnel is down.

A web search has showed us that tunnel recreation is complex and
frequently involves non-standard implemmentations. Sometimes, this
process fails and it should be considered an external watchdog to
be on the safe side.

So we cooked an in-house solution using monit to restart isakmpd in
case of failure. Obviously you'll need to define a simple set of rules
to classify a connection as failed.

snip

 Okey, all vpn comes up normally but.. the problem is:
 At random time, the tunnel turn down and dont come up again !


snip

OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

2007-12-05 Thread Douglas Secco dos Santos 
Hi all,
I have a lot of VPN connections from all subsidiaries of my business (46
subsidiaries/46 tunnels exactly).
At the matriz i have an CISCO ASA 5520 VPN concentrator.
Over subsidiaries, i have a openbsd 4.1.

my ipsec.conf is:
--
ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \
peer Z \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk SECRETKEY
flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z
--

My key lifetime (it works and is correct usage about
ipsec.conf+isakmpd.conf):
--
[General]
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
--
Okey, all vpn comes up normally but.. the problem is:
At random time, the tunnel turn down and dont come up again !

My /var/log/messages at the moment of blackout show this message:
--
Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on
exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500
--
Another message can be found at random moments is about INVALID COOKIE(S)

The DPS functionality is configured in both ends, I believe this is not the
problem.
When the ADSL link falls for a few seconds this problem also occurs.

PS.:
1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and
3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall
script) over the subsidiaries and another openbsd 3.9 on the matriz and this
problem never comes up.
2. I configured my CISCO ASA and its all okey.
3. My NAT and FIREWALL its OKEY.

please it's a urgent request, thankz for all/any reply!
thankz.

OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

2007-12-05 Thread Douglas Secco dos Santos 
Hi all,
I have a lot of VPN connections from all subsidiaries of my business (46
subsidiaries/46 tunnels exactly).
At the matriz i have an CISCO ASA 5520 VPN concentrator.
Over subsidiaries, i have a openbsd 4.1.

my ipsec.conf is:
--
ike dynamic esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } \
peer Z \
main auth hmac-sha1 enc 3des group modp1024 \
quick auth hmac-sha1 enc 3des group none \
psk SECRETKEY
flow esp from 10.X.0.0/20 to { 10.0.0.0/16, 10.Y.0.0/16 } peer Z
--

My key lifetime (it works and is correct usage about
ipsec.conf+isakmpd.conf):
--
[General]
Default-phase-1-lifetime= 86400,60:86400
Default-phase-2-lifetime= 28800,60:86400
--
Okey, all vpn comes up normally but.. the problem is:
At random time, the tunnel turn down and dont come up again !

My /var/log/messages at the moment of blackout show this message:
--
Dec 5 07:18:30 matrix isakmpd[23930]: transport_send_messages: giving up on
exchange IPsec-10.X.0.0/20-10.Y.0.0/16, no response from peer Z:500
--
Another message can be found at random moments is about INVALID COOKIE(S)

The DPS functionality is configured in both ends, I believe this is not the
problem.
When the ADSL link falls for a few seconds this problem also occurs.

PS.:
1. Near about 1 year ago, my infrastructure was different: 46 openbsd 3.8 and
3.9 (using isakmpd.conf and isakmpd.policy old-style and the same firewall
script) over the subsidiaries and another openbsd 3.9 on the matriz and this
problem never comes up.
2. I configured my CISCO ASA and its all okey.
3. My NAT and FIREWALL its OKEY.

please it's a urgent request, thankz for all/any reply!