[Openswan Users] Please help

Paul Wouters paul at xelerance.com
Fri Mar 20 17:40:18 EDT 2009


On Fri, 20 Mar 2009, Jon James wrote:

> I have over 150 Openswan ipsec vpn tunnels from various parts of North America all connecting to a Fortigate 310b
> firewall/router
> 
> The majority of the tunnels come up fine. The problem is that after an hour or so some (not all) of the tunnel
> drop for some unknown reason.

One hour is the default IKE rekey time for openswan.

Your logs show that you are using XAUTH. That might complicate rekeying, as
xauth is not really meant to be rekeyed (due to the password prompting,
though some people (you included) have put those on the device to automate
thee rekey).

Still both of your logs (the one you marked "good" as well as the one you marked
"bad") show two completed IPsec tunnel established's. I am not sure why there is
a problem. Nothing in the logs suggest anything went wrong. Since this rekey was
initiated by the Fortigate, what you can try to do is to ensure openswan is the
initiator at rekey using ikelifetime=30m and comment out your rekeyfuzz= entry.

Paul


More information about the Users mailing list