<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hello, everyone.<br>
<br>
I've been experiencing some very strange stability issues where the
tunnels will appear to still be up (as per ipsec auto status), but no
traffic will flow through the tunnels. Tearing them down and then
bringing them back up solves the issue temporarily. The problem isn't
just that it does this, but that sometimes the tunnels will be very
stable for hours on end - and all of a sudden fail for no apparent
reason. Both ends are OpenSWAN 2.6.9, and configured identically:<br>
<br>
----- BEGIN CONFIG -----<br>
config setup<br>
interfaces="%none"<br>
nat_traversal=yes<br>
virtual_private=%v4:!10.2.0.0/16,%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12<br>
oe=off<br>
protostack=netkey<br>
plutodebug="parsing emitting control controlmore crypt lifecycle
pfkey dpd"<br>
plutoopts="--perpeerlog --perpeerlogbase=/etc/openswan/log"<br>
<br>
conn other-side<br>
type=tunnel<br>
leftupdown="/etc/openswan/updown"<br>
left=<left-pub-ip><br>
leftsourceip=<left-prv-ip><br>
leftsubnets={<left-subnets>}<br>
leftrsasigkey=<left-rsa-crap><br>
right=<right-pub-ip><br>
rightsourceip=<right-src-ip><br>
rightsubnets={<right-subnets>}<br>
rightrsasigkey=<right-rsa-crap><br>
dpdaction=restart_by_peer<br>
dpddelay=30<br>
dpdtimeout=60<br>
pfs=yes<br>
ike=3des-sha1<br>
esp=3des-sha1<br>
auto=start<br>
salifetime=1h<br>
ikelifetime=24h<br>
rekeymargin=2m<br>
<br>
------ END CONFIG ------<br>
<br>
Also, during one of these failures I witnessed the "last dpd" counter
go well past the 120 second mark even though I have it configured such
that (as I understand it) at worst 60 seconds after the last DPD ack
packet the connection should be terminated and re-started.<br>
<br>
If you'd like logging information I'll be happy to provide it - I
figured i'd post the configs just in case it was me being dumb and had
misconfigured my stuff.<br>
<br>
Cheers.<br>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
<font size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
</body>
</html>