[Openswan Users] One Hour Disconnect?
petermcgill at goco.net
Tue Dec 20 14:31:12 CET 2005
I fixed the problem.
As I stated previously I had already tried auto=start,
and that did not work, tried again anyway, but didn't
I did some more testing focusing on ikelifetime=, since
it was set at 1.0h and that's the time the connection was
lost. At ikelifetime=2.0h, the connection disconnected
at 2 hours, instead of one. The first time I tested this,
I must have forgotten to --replace the conn, but this
time I reset pluto to be sure. I then remembered reading
someone needed to swap the values for ikelifetime= and
keylife= for their conn to work. I didn't want to wait
8 hours to test the problem though, so I just set the following:
Now the problem is gone, not exactly sure why though.
All my other options, I have reset to previously stated
values. (ie: auto=route) Been running without problem
for several days now.
Perhaps Nortel throws away the entire tunnel when the
ike/auth key expires, and expects whole conn to renew?
Or maybe it simply expects the ike/auth key to last longer
then the data/encryption key?
Software Developer / Network Administrator
Gra Ham Energy Limited
----- Original Message -----
From: "Paul Wouters" <paul at xelerance.com>
To: "Peter McGill" <petermcgill at goco.net>
Cc: <users at openswan.org>
Sent: Thursday, December 15, 2005 4:08 PM
Subject: Re: [Openswan Users] One Hour Disconnect?
> On Thu, 15 Dec 2005, Peter McGill wrote:
>> The connection is established, and works for about one
>> hour. The logs seem to indicate that the ISAKMP SA
>> is renegotiated at about 45 minutes in. I have tested
>> the connection after this and it is still working, but at
>> about one hour we receive a Delete SA from the
>> Nortel box and the connection goes down without
>> reconnecting. At this point I have to manually force
>> reconnection via: ipsec auto --up or --route.
>> conn sunoco-172-16-19-net-to-london-office-net
> use auto=start, not auto=reoute
More information about the Users