[Openswan Users] Persistent connection for VPN connection

Juan Pablo jp.espino at gmail.com
Tue Jun 19 15:07:54 EDT 2007 

Hi,

Every 6 or 7 hours mmmm it sounds to me a Main Mode re-negotiation
issue. What is the value for ikelifetime?, let us see some logs also.

On 6/19/07, Peter Njiiri <pnjiiri at novell.ae> wrote:
> Hi Kevin
> The two servers are connected via a WAN. The Internet connection is constantly on and I noticied that the tunnel disconnects after some hours, 6hrs or 7 hrs. Will check if the rekey=yes works otherwise, are there other recommendations you have for this issue?
>
> Thanks for the feedback,Peter!
>
> >>> Kevin <kevin at sepit.com.au>  >>>
> What type of internet connections are each endpoint using and how stable
> are they?  I ask this because I had problems with tunnels apparently not
> staying up and it turned out that the internet connection dropping out
> even for a very short time was causing the problem.
>
> Regards
> Kevin
>
> Paul Wouters wrote:
>
> >On Mon, 18 Jun 2007, Peter Njiiri wrote:
> >
> >
> >
> >>The connection is Gatewat-to_gateway connection using FreeSwan (ipsec.conf) will adding the rekey=yes line work for FreeSwan? Thanks for the feedback
> >>
> >>
> >
> >See below on the remark when one of the endpoints is on dynamic ip (roadwarrior).
> >AFAIK, freeswan also had rekey=yes as the default, so i dont think it is going to help you.
> >
> >freeswan is unsupported and has not seen all required security patches. You should migrate
> >to openswan.
> >
> >Paul
> >
> >
> >
> >>Regards,Peter
> >>
> >>
> >>
> >>>>>Paul Wouters <paul at xelerance.com>  >>>
> >>>>>
> >>>>>
> >>On Mon, 18 Jun 2007, Peter Njiiri wrote:
> >>
> >>
> >>
> >>>I just need to know how a persistent connection can be established when VPN is up. I always have to restart the VPN after some hours as it seems that the SA connection/handshake is dropped?Is there a line that can be added into the ipsec.conf file??? I need the VPN to be running consistently 24-7?
> >>>
> >>>
> >>If you use rekey=yes (the default!) then it should work already. If this is a roadwarrior connection,
> >>then the roadwarrior has to initiate the rekey and the server should use rekey=no.
> >>
> >>Paul
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


-- 
Juan Pablo

More information about the Users mailing list