[Openswan Users] Checkpoint - OpenSwan connection dropping

Mike.Peters at opengi.co.uk Mike.Peters at opengi.co.uk
Tue Jan 9 05:09:49 EST 2007


> When you say "I cannot re-initiate the connection from the 
> OpenSwan end",
> Do you mean only auto-renew fails, or manual too?
> I see no reason why manual would fail here.
> ie) ipsec auto --up checkpoint-openswan
> (pings will not renew an openswan conn, they are not 
> "on-demand" in that sense.)
To clarify, when the connection drops, "ipsec whack --status" shows the
tunnel as up, but no traffic passes over the tunnel from the OpenS/WAN
to checkpoint end, pinging from the checkpoint end brings the connection
back. Restarting the tunnel with "ipsec auto --up checkpoint-openswan"
or even completely restarting ipsec, does not bring the connection back
- although again "ipsec whack" shows the tunnel as being established.

> However, to fix auto-renewal, try setting rekey=yes, and 
> keyingtries=%forever in the appropriate conn.
> They are defaults, however putting keyingtries=3 in the 
> %default conn, will have overridden the default.
> Also make sure that keylife and ikelifetime match the values 
> in the checkpoint configuration.
> You can also try enabling dead peer detection if supported by 
> checkpoint.
> In openswan is, dpddelay=30, dpdtimeout=120, dpdaction=restart.

Thanks for the suggestions, I've set rekey=yes and keyingtries=%forever
to see if that helps and will enable dead peer detection as suggested if
it doesn't.

> All this may help, however I suspect your biggest problem is 
> keyingtries=3 in the %default conn.
> Experience has taught me that keyingtries does not reset 
> after a connection is made, so at best
> You'll get 2 renewals, before openswan gives up. This doesn't 
> afect incoming conns, so it would
> Still allow the checkpoint to renew it, as your ping has done.

Thanks again for your suggestions.

Mike Peters
Linux System and Website Administrator
Open G I Limited
This message is intended for the named recipient only and may be
privileged and/or confidential.  If you are not the intended or named
recipient or have received this email in error then you should not copy
forward or disclose it to any other persons.  If you have received this
email in error you should destroy it and contact the sender so that we
may take appropriate action.   The views and opinions expressed in this
email may not represent the views and opinions of Open International
Limited or any of its subsidiaries and are made without prejudice and
subject to contract.  The Company Reserves the right to intercept and
review all email communications.

More information about the Users mailing list