[Openswan Users] 2.4.6 <--> 2.4.6 stops passing traffic

[Robert Woodcock]

I've set up an IPSec link between two identical Soekris net4801's
running
Debian etch, Linux 2.4.34 (kernel.org source with the Debian etch
linux-patch-openswan package's patch applied), and OpenS/WAN 2.4.6 (the
package in Debian etch), with the following ipsec.conf:

config setup
        nat_traversal=yes
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none

conn %default
        auth=esp
        authby=rsasig
        auto=start
        type=tunnel
        pfs=yes
        esp=aes-sha1
        keyingtries=0
        keyexchange=ike
        keylife=1h
        left=%defaultroute
        leftsubnet=my.left.tunnel.address/32
        leftid=@myleftkeyid
        leftrsasigkey=myleftpublickey
        leftupdown="/etc/network/ipsec-updown"

conn otherside
        right=my.right.external.ip
        rightnexthop=my.right.external.gateway
        rightsubnet=my.right.tunnel.address/32
        rightid=@myrightkeyid
        rightrsasigkey=myrightpublickey

The link works fine. However, 5 times in the last month it has stopped
passing traffic. "ipsec whack --status" output looks no different
("IPSec
SA established"), "ipsec eroute" will show the connection is still
erouted,
tcpdump while pinging between Soekrises shows ICMP ECHO_REQUEST packets
making it to their destination, ICMP ECHO_RESPONSE packets going out
ipsec0, but no corresponding ESP packets going out eth0.

"/etc/init.d/ipsec restart" on one end will bring the link back.

Last time I messed with OpenS/WAN, I used OpenS/WAN 2.2.0 with 3DES/MD5
and no PFS, and it was absolutely rock solid. Any suggestions on how I
can get the same results with 2.4.x, AES, SHA, and PFS?

Thanks!