[Openswan Users] Persistent connection for VPN connection

Peter Njiiri pnjiiri at novell.ae
Sun Jun 24 02:38:42 EDT 2007


Hi, 
Thanks for the feedback,unfortunately no success, will keyingtries=0 work?? 

Kind Regards

>>> "Juan Pablo" <jp.espino at gmail.com> 06/22/07 1:26 AM >>>
Hi,

Try with ike_lifetime = 28800 sec and ipsec_lifetime=3600 in both ends
and see if it works. Also try to capture traffic with
Ethereal/Wireshark or something similar when you lose the connection.

On 6/20/07, Peter Njiiri <pnjiiri at novell.ae> wrote:
>
>
> Hi
>
> ikelifetime is commented out thus I presume it might be taking the default:
>
>
> conn %default
>
> # Default: %forever (try forever)
>
> #keyingtries=3
>
> # Sig keys (default: %dnsondemand)
>
> leftrsasigkey=%cert
>
> rightrsasigkey=%cert
>
> # Lifetimes, defaults are 1h/8hrs
>
> #ikelifetime=20m
>
> #keylife=1h
>
> #rekeymargin=8m
> ipsec auto --status log excerpt is below (I've omitted certificate
> information):
>
>
> 000 interface lo/lo ::1
>
> 000 interface lo/lo ::1
>
> 000 interface lo/lo 127.0.0.1
>
> 000 interface lo/lo 127.0.0.1
>
> 000 interface eth1/eth1 10.30.7.9
>
> 000 interface eth1/eth1 10.30.7.9
>
> 000 %myid = (none)
>
> 000 debug none
>
> 000
>
> 000 "hamadtownzen01":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3
>
> 000 "hamadtownzen01":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP; prio: 32,24;
> interface: eth1;
>
> 000 "hamadtownzen01":   newest ISAKMP SA: #1; newest IPsec SA: #2;
>
> 000
>
> 000 #2: "hamadtownzen01" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 26826s; newest IPSEC; eroute owner
>
> 000 #2: "hamadtownzen01" esp.f3f82e06 at 10.30.2.10 esp.de5fa75d at 10.30.7.9
> tun.0 at 10.30.2.10 tun.0 at 10.30.7.9
>
> 000 #1: "hamadtownzen01" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 1995s; newest ISAKMP
>
> 000
>
>
> Kind Regards
>
> Peter
>
>
> >>> "Juan Pablo" <jp.espino at gmail.com> 06/19/07 11:07 PM >>>
>
> Hi,
>
> Every 6 or 7 hours mmmm it sounds to me a Main Mode re-negotiation
> issue. What is the value for ikelifetime?, let us see some logs also.
>
> On 6/19/07, Peter Njiiri <pnjiiri at novell.ae> wrote:
> > Hi Kevin
> > The two servers are connected via a WAN. The Internet connection is
> constantly on and I noticied that the tunnel disconnects after some hours,
> 6hrs or 7 hrs. Will check if the rekey=yes works otherwise, are there other
> recommendations you have for this issue?
> >
> > Thanks for the feedback,Peter!
> >
> > >>> Kevin <kevin at sepit.com.au>  >>>
> > What type of internet connections are each endpoint using and how stable
> > are they?  I ask this because I had problems with tunnels apparently not
> > staying up and it turned out that the internet connection dropping out
> > even for a very short time was causing the problem.
> >
> > Regards
> > Kevin
> >
> > Paul Wouters wrote:
> >
> > >On Mon, 18 Jun 2007, Peter Njiiri wrote:
> > >
> > >
> > >
> > >>The connection is Gatewat-to_gateway connection using FreeSwan
> (ipsec.conf) will adding the rekey=yes line work for FreeSwan? Thanks for
> the feedback
> > >>
> > >>
> > >
> > >See below on the remark when one of the endpoints is on dynamic ip
> (roadwarrior).
> > >AFAIK, freeswan also had rekey=yes as the default, so i dont think it is
> going to help you.
> > >
> > >freeswan is unsupported and has not seen all required security patches.
> You should migrate
> > >to openswan.
> > >
> > >Paul
> > >
> > >
> > >
> > >>Regards,Peter
> > >>
> > >>
> > >>
> > >>>>>Paul Wouters <paul at xelerance.com>  >>>
> > >>>>>
> > >>>>>
> > >>On Mon, 18 Jun 2007, Peter Njiiri wrote:
> > >>
> > >>
> > >>
> > >>>I just need to know how a persistent connection can be established when
> VPN is up. I always have to restart the VPN after some hours as it seems
> that the SA connection/handshake is dropped?Is there a line that can be
> added into the ipsec.conf file??? I need the VPN to be running consistently
> 24-7?
> > >>>
> > >>>
> > >>If you use rekey=yes (the default!) then it should work already. If this
> is a roadwarrior connection,
> > >>then the roadwarrior has to initiate the rekey and the server should use
> rekey=no.
> > >>
> > >>Paul
> > >>
> > >>
> > >>
> > >
> > >
> > >
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>
>
> --
> Juan Pablo
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070624/4433e7a7/attachment.html 


More information about the Users mailing list