[Openswan Users] Dead of ispec connection

Peter McGill petermcgill at goco.net
Thu Oct 4 10:44:11 EDT 2007 

No, you were correct this should do it. I would have put directly in the conn, but conn %default may work also.
And on both sides these settings must match.
> > conn %default
> > ikelifetime=5h
> > keylife=10h
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=restart
> > authby=rsasig

Peter McGill
 

> -----Original Message-----
> From: Sasa [mailto:sasa at shoponweb.it] 
> Sent: October 4, 2007 6:55 AM
> To: petermcgill at goco.net; users at openswan.org
> Subject: Re: [Openswan Users] Dead of ispec connection
> 
> Hi, are needeful additional information about my problem ?
> Thanks.
> 
> ------
>    Salvatore.
> 
> 
> ----- Original Message ----- 
> From: "Sasa" <sasa at shoponweb.it>
> To: <petermcgill at goco.net>; <users at openswan.org>
> Sent: Friday, September 28, 2007 11:53 PM
> Subject: Re: [Openswan Users] Dead of ispec connection
> 
> 
> > "Peter McGill" wrote:
> >> What are you connecting to at the other side of the tunnel ?
> >> Openswan or something else?
> >
> > ..also on the other side I have openswan
> >
> >> What do the logs there say?
> >
> > ..on other side in log file I have recurrently:
> >
> > Sep 26 08:37:33 fw2 pluto[2580]: "portrm" #52: IPsec SA 
> expired (LATEST!)
> > Sep 26 09:38:32 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 10:22:31 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 11:11:20 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 12:43:36 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 14:14:53 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 15:01:04 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 15:52:01 fw2 pluto[2580]: packet from 80.23.x.y:500:
> > Informational Exchange is for an unknown (expired?) SA
> > Sep 26 16:38:33 fw2 pluto[2580]: "portrm" #10: ignoring 
> Delete SA payload:
> > PROTO_IPSEC_ESP SA(0xa67be454) not found (maybe expired)
> >
> >> It could be caused by an unstable internet connection.
> >
> > I do not think a problem about Internet connection because 
> my problem is
> > always shows after that for a long period the IPSEC tunnel 
> is not used, as
> > for example in the morning and after the lunch break.
> >
> >> Try adding Dead Peer Detection if you can.
> >> It looks like the other side is advertising DPD capability.
> >> DPD needs to be enabled on both sides to work.
> >> Look in the man ipsec.conf page for dpd*.
> >> Ie)
> >> dpddelay=30
> >> dpdtimeout=120
> >> dpdaction=restart
> >
> > If I have understood I must add in ipsec.conf on both sides the 
> > parameters:
> >
> > config setup
> > interfaces="ipsec0=eth0"
> > conn %default
> > ikelifetime=5h
> > keylife=10h
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=restart
> > authby=rsasig
> > ..
> > Thanks.
> >
> > ------
> >   Salvatore.
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> >

More information about the Users mailing list