[Openswan Users] Dead of ispec connection

Sasa sasa at shoponweb.it
Thu Oct 4 06:55:21 EDT 2007


Hi, are needeful additional information about my problem ?
Thanks.

------
   Salvatore.


----- Original Message ----- 
From: "Sasa" <sasa at shoponweb.it>
To: <petermcgill at goco.net>; <users at openswan.org>
Sent: Friday, September 28, 2007 11:53 PM
Subject: Re: [Openswan Users] Dead of ispec connection


> "Peter McGill" wrote:
>> What are you connecting to at the other side of the tunnel ?
>> Openswan or something else?
>
> ..also on the other side I have openswan
>
>> What do the logs there say?
>
> ..on other side in log file I have recurrently:
>
> Sep 26 08:37:33 fw2 pluto[2580]: "portrm" #52: IPsec SA expired (LATEST!)
> Sep 26 09:38:32 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 10:22:31 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 11:11:20 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 12:43:36 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 14:14:53 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 15:01:04 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 15:52:01 fw2 pluto[2580]: packet from 80.23.x.y:500:
> Informational Exchange is for an unknown (expired?) SA
> Sep 26 16:38:33 fw2 pluto[2580]: "portrm" #10: ignoring Delete SA payload:
> PROTO_IPSEC_ESP SA(0xa67be454) not found (maybe expired)
>
>> It could be caused by an unstable internet connection.
>
> I do not think a problem about Internet connection because my problem is
> always shows after that for a long period the IPSEC tunnel is not used, as
> for example in the morning and after the lunch break.
>
>> Try adding Dead Peer Detection if you can.
>> It looks like the other side is advertising DPD capability.
>> DPD needs to be enabled on both sides to work.
>> Look in the man ipsec.conf page for dpd*.
>> Ie)
>> dpddelay=30
>> dpdtimeout=120
>> dpdaction=restart
>
> If I have understood I must add in ipsec.conf on both sides the 
> parameters:
>
> config setup
> interfaces="ipsec0=eth0"
> conn %default
> ikelifetime=5h
> keylife=10h
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> authby=rsasig
> ..
> Thanks.
>
> ------
>   Salvatore.
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 



More information about the Users mailing list