[Openswan Users] Dead of ispec connection

Sasa sasa at shoponweb.it
Fri Sep 28 17:53:54 EDT 2007 

"Peter McGill" wrote:
> What are you connecting to at the other side of the tunnel ?
> Openswan or something else?

..also on the other side I have openswan

> What do the logs there say?

..on other side in log file I have recurrently:

Sep 26 08:37:33 fw2 pluto[2580]: "portrm" #52: IPsec SA expired (LATEST!)
Sep 26 09:38:32 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 10:22:31 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 11:11:20 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 12:43:36 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 14:14:53 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 15:01:04 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 15:52:01 fw2 pluto[2580]: packet from 80.23.x.y:500:
Informational Exchange is for an unknown (expired?) SA
Sep 26 16:38:33 fw2 pluto[2580]: "portrm" #10: ignoring Delete SA payload:
PROTO_IPSEC_ESP SA(0xa67be454) not found (maybe expired)

> It could be caused by an unstable internet connection.

I do not think a problem about Internet connection because my problem is 
always shows after that for a long period the IPSEC tunnel is not used, as 
for example in the morning and after the lunch break.

> Try adding Dead Peer Detection if you can.
> It looks like the other side is advertising DPD capability.
> DPD needs to be enabled on both sides to work.
> Look in the man ipsec.conf page for dpd*.
> Ie)
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart

If I have understood I must add in ipsec.conf on both sides the parameters:

config setup
interfaces="ipsec0=eth0"
conn %default
ikelifetime=5h
keylife=10h
dpddelay=30
dpdtimeout=120
dpdaction=restart
authby=rsasig
..
Thanks.

------
   Salvatore.

More information about the Users mailing list