This is the output of ipsec verify:<br><br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan U2.4.6/K2.6.18-4-686 (netkey)
<br>Checking for IPsec support in kernel [OK]<br>NETKEY detected, testing for disabled ICMP send_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/send_redirects<br> or NETKEY will cause the sending of bogus ICMP redirects!
<br><br>NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]<br><br> Please disable /proc/sys/net/ipv4/conf/*/accept_redirects<br> or NETKEY will accept bogus ICMP redirects!<br><br>Checking for RSA private key (/etc/ipsec.secrets) [DISABLED]
<br> ipsec showhostkey: no default key in "/etc/ipsec.secrets"<br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>
Checking NAT and MASQUERADEing<br>Checking for 'ip' command [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]
<br><br><br>Both eth0 and eth1 have their mtu set to 1500<br><br>In the options.l2tpd the mtu is set to 1410<br><br>I have disable the firewall, but the problem occurs with and without iptables.<br><br><br><br><div><span class="gmail_quote">
On 5/15/07, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Tue, 15 May 2007, Rafael Andara wrote:<br><br>> I was able to setup a lab vpn server with IPsec/l2tpd without any problem,<br>> but when I put it on production my connection suddenly dies after a minute<br>> or so, I was able to see that pppd was sending LCP EchoReq but it wasn't
<br>> getting any response.<br>> I stoped testing and 2 days after it's worse the connection isn't<br>> established, the chap challenge doesn't get to client and I see this with<br>> tcpdump:<br>>
<br>> 12:16:46.007191 IP vpn-server > roadwarrior: ESP(spi=0x3b2c8ac1,seq=0x6),<br>> length 84<br>> 12:16:46.009699 IP vpn-server > roadwarrior: ESP(spi=0x3b2c8ac1,seq=0x7),<br>> length 68<br>> 12:16:
46.896071 IP roadwarrior > vpn-server: ESP(spi=0x707a54a7,seq=0x8),<br>> length 84<br>> 12:16:46.898789 arp who-has roadwarrior tell vpn-server<br>> 12:16:47.898825 arp who-has roadwarrior tell vpn-server<br>> 12:16:
48.898892 arp who-has roadwarrior tell vpn-server<br>> 12:16:49.902972 arp who-has roadwarrior tell vpn-server<br>> 12:16:50.903013 arp who-has roadwarrior tell vpn-server<br>> 12:16:51.903077 arp who-has roadwarrior tell vpn-server
<br>> 12:16:52.907159 arp who-has roadwarrior tell vpn-server<br>><br>> VPN-server is a NAT server also, with iptables.<br><br>- Run ipsec verify<br>- Check/lower your external mtu to 1440<br>- disable firewall rules to see if that is the problem
<br><br>Paul<br><br></blockquote></div><br><br clear="all"><br>-- <br>Saludos.<br>Linux Registered User 422700<br>-RA-