Hi Dan,

Thank you for your hints, they are very valuable. The -h flag is a really good idea. And I'll also look deeper into ikeadm dump *.


Regarding the DPD, lowering the p2_softlife_secs seems to do the job and works even after ikeadm flush on the remote node.

Thanks.

Jan

On 8. 2. 2018 16:55, Dan McDonald wrote:
Pardon the shortness here.

One warning up front is that in.iked is closed-source, so IF there are any 
issues with IKE per se, we are not able to fix them.

On Feb 8, 2018, at 6:08 AM, Ján Poctavek <jan.pocta...@erigones.com> wrote:

Hi Dan,

Yes we know about the IKEv2 and we'll be happy to try it.

You might also be interested in our ansible playbook that sets up IPsec and 
overlays:
https://github.com/erigones/esdc-ce/tree/master/ans/overlays
And our simple IPSsec debug scripts:
https://github.com/erigones/esdc-ce/tree/master/bin/debug
Thanks for sharing.

Any feedback on our docs or usage of IPsec is totally welcome. Don't hesitate 
to ask anything.
Thank you.

One more thing - as you are probably right person to ask - currently we are 
trying to set up a reliable Dead Peer Detection so the IPsec can overcome a 
remote node reboot or ipseckey flush. Is there any doc that can point us how to 
do that? I'm a bit lost in all IKE options.
DPD should Just Work on IKE, insofar as I recall.  SAs have IDLE timeouts which 
in.iked monitors. The trick is whether or not one side is behind a NAT or not.  
If both sides are NAT-free, what should happen is:

        - IDLE timeout occurs

        - SAs (and IKE SA) get deleted.

        - Next outbound traffic starts fresh with a PF_KEY ACQUIRE message, and 
a fresh IKE exchange.

If a NAT is in the way, things get tricky, because only the node *behind* the 
NAT can initiate cleanly, UNLESS you're doing static port mapping.

Now I just looked at your debug scripts.  I've noticed some things:

1.) You do not query the highly-queriable in.iked via ikeadm(1M).  You use ikeadm to 
enable full-blown IKE logging, but there's more you can do.  Try "ikeadm dump 
p1", for example.  :)

2.) I would recommend having the option of using the -n flag for your 
invocations of IPsec utilities JUST IN CASE your name services are down.  If 
you're only using files, though, you can ignore this.

3.) You may not be aware of this, but if you utter "ipseckey flush" IKE *also* 
deletes all of its IKE SAs as well.  The ipsec_restart.sh script MAY be redundant, unless 
in.iked is seriously hosed.

Dan




-------------------------------------------
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Reply via email to