[Openswan Users] cisco and timeouts

jef peeraer jef.peeraer at telenet.be
Wed Aug 2 09:15:21 EDT 2006 

i've got a cisco setup, at the roadwarriors site, and it seems to work 
with my openswan server ( 2.4.5 ). there is only one thing ( kind of 
blocking ), after a certain timeout, the tunnels seems to be closed. on 
the wiki , there seems to be an article about this, but the link is dead.
i feel it has something to do with a statefull firewall and timeouts, 
but my cisco knowledge is very limited ( did the basic setup via the web 
interface ).
my cisco config is as follows



!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname koenthuis
!
no logging buffered

!
username
no aaa new-model
ip subnet-zero
ip name-server 195.238.2.21
ip name-server 195.238.2.22
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.51.2
ip dhcp excluded-address 192.168.100.2
ip dhcp excluded-address 192.168.100.1
!
ip dhcp pool CLIENT
   import all
   network 192.168.100.0 255.255.255.128
   default-router 192.168.100.1
   lease 0 2
!
ip dhcp pool C
!
!
ip inspect udp idle-time 15
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw udp timeout 15
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete
this:192.168.51.1-255.255.255.128
ip address 192.168.51.1 255.255.255.128 secondary
ip address 192.168.100.1 255.255.255.128
ip access-group 122 out
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
atm ilmi-keepalive
pvc 8/35
  pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ********@SKYNET
ppp chap password 7 ******
ppp pap sent-username ****@SKYNET password 7 *******
ppp ipcp dns request
ppp ipcp wins request
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static udp 192.168.100.2 4500 interface Dialer1 4500
ip nat inside source static tcp 192.168.100.2 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.2 22 interface Dialer1 22
ip nat inside source static udp 192.168.100.2 500 interface Dialer1 500
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
logging 192.168.100.2
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 192.168.51.0 0.0.0.127 any
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 102 permit tcp any any eq www
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 22
access-list 111 permit udp any any eq isakmp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny   ip any any
access-list 122 deny   tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end

More information about the Users mailing list