[Openswan Users] Persistent connection for VPN connection
Peter Njiiri
pnjiiri at novell.ae
Wed Jun 20 02:25:57 EDT 2007
Hi
ikelifetime is commented out thus I presume it might be taking the default:
conn %default
# Default: %forever (try forever)
#keyingtries=3
# Sig keys (default: %dnsondemand)
leftrsasigkey=%cert
rightrsasigkey=%cert
# Lifetimes, defaults are 1h/8hrs
#ikelifetime=20m
#keylife=1h
#rekeymargin=8m
ipsec auto --status log excerpt is below (I've omitted certificate information):
000 interface lo/lo ::1
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 10.30.7.9
000 interface eth1/eth1 10.30.7.9
000 %myid = (none)
000 debug none
000
000 "hamadtownzen01": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "hamadtownzen01": policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24; interface: eth1;
000 "hamadtownzen01": newest ISAKMP SA: #1; newest IPsec SA: #2;
000
000 #2: "hamadtownzen01" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26826s; newest IPSEC; eroute owner
000 #2: "hamadtownzen01" esp.f3f82e06 at 10.30.2.10 esp.de5fa75d at 10.30.7.9 tun.0 at 10.30.2.10 tun.0 at 10.30.7.9
000 #1: "hamadtownzen01" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1995s; newest ISAKMP
000
Kind Regards
Peter
>>> "Juan Pablo" <jp.espino at gmail.com> 06/19/07 11:07 PM >>>
Hi,
Every 6 or 7 hours mmmm it sounds to me a Main Mode re-negotiation
issue. What is the value for ikelifetime?, let us see some logs also.
On 6/19/07, Peter Njiiri <pnjiiri at novell.ae> wrote:
> Hi Kevin
> The two servers are connected via a WAN. The Internet connection is constantly on and I noticied that the tunnel disconnects after some hours, 6hrs or 7 hrs. Will check if the rekey=yes works otherwise, are there other recommendations you have for this issue?
>
> Thanks for the feedback,Peter!
>
> >>> Kevin <kevin at sepit.com.au> >>>
> What type of internet connections are each endpoint using and how stable
> are they? I ask this because I had problems with tunnels apparently not
> staying up and it turned out that the internet connection dropping out
> even for a very short time was causing the problem.
>
> Regards
> Kevin
>
> Paul Wouters wrote:
>
> >On Mon, 18 Jun 2007, Peter Njiiri wrote:
> >
> >
> >
> >>The connection is Gatewat-to_gateway connection using FreeSwan (ipsec.conf) will adding the rekey=yes line work for FreeSwan? Thanks for the feedback
> >>
> >>
> >
> >See below on the remark when one of the endpoints is on dynamic ip (roadwarrior).
> >AFAIK, freeswan also had rekey=yes as the default, so i dont think it is going to help you.
> >
> >freeswan is unsupported and has not seen all required security patches. You should migrate
> >to openswan.
> >
> >Paul
> >
> >
> >
> >>Regards,Peter
> >>
> >>
> >>
> >>>>>Paul Wouters <paul at xelerance.com> >>>
> >>>>>
> >>>>>
> >>On Mon, 18 Jun 2007, Peter Njiiri wrote:
> >>
> >>
> >>
> >>>I just need to know how a persistent connection can be established when VPN is up. I always have to restart the VPN after some hours as it seems that the SA connection/handshake is dropped?Is there a line that can be added into the ipsec.conf file??? I need the VPN to be running consistently 24-7?
> >>>
> >>>
> >>If you use rekey=yes (the default!) then it should work already. If this is a roadwarrior connection,
> >>then the roadwarrior has to initiate the rekey and the server should use rekey=no.
> >>
> >>Paul
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
Juan Pablo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070620/439e01de/attachment-0001.html
More information about the Users
mailing list