[Openswan Users] during ~10 minutes period, the ipsec connection is unreliable

Luc Paulin lpaulin at touchtunes.com
Wed Aug 25 16:02:53 EDT 2010 

Hi Everyone,
I am experiencing an intermittent problem with out site-to-site vpn. 
Once in a while the site-to-site tunnel is going down for about 10 
minutes and then restore by itself. From what I see within the pluto 
log, theres's nothing wrong during the period of time. Internet 
connectivity does work fine.

I had notice during the downtime, the  remote site hosts are pingable, 
and already open and active session aren't affected, however new tcp 
session won't go through the tunnel, they hang and nothing happen until 
tunnel is online again. Though that logs doesn't seem to show anything 
wrong, I suspect maybe a rekey issues, or something related.

Can anyone confirm that the config below is good. Is anything else 
should be added/remove to improve the tunnel reliabilty? As a side note 
the SITE A vpn will be upgraded soon to something identical (or at least 
very close) to the SITE B.

SITE A
OS: Fedora Core release 6 (Zod) Tikanga
Kernel: Linux ipsec1.touchtunes.com 2.6.22.14-72.fc6 #1 SMP Wed Nov 21 
15:12:59 EST 2007 i686 i686 i386 GNU/Linux
Version: openswan-2.4.9-1
==============
conn mtltonyc
         authby=secret
         pfs=yes
         left=a.a.a.175
         leftnexthop=a.a.a.161
         right=b.b.b.2
         rightnexthop=b.b.b.1
         auto=start
         esp=aes128-sha1
         keylife=12h
         ikelifetime=4h


SITE B
OS: CentOS release 5.4 (Final) Tikanga
Kernel: Linux fwny-01.touchtunes.com 2.6.18-164.15.1.el5 #1 SMP Wed Mar 
17 11:30:06 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux
Version: openswan-2.6.21-5.el5_4.2
==============
conn nyctomtl
         authby=secret
         pfs=yes
         left=a.a.a.175
         leftnexthop=a.a.a.161
         right=b.b.b.2
         rightnexthop=b.b.b.1
         auto=start
         esp=aes128-sha1
         salifetime=12h
         ikelifetime=4h


     -Luc

CONFIDENTIALITY CAUTION 
This e-mail and any attachments may be confidential or legally privileged. If you received this message in error or are not the intended recipient, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your cooperation.
DOCUMENT CONFIDENTIEL 
Le présent courriel et tout fichier joint à celui-ci peuvent contenir des renseignements confidentiels ou privilégiés. Si cet envoi ne s'adresse pas à vous ou si vous l'avez reçu par erreur, vous devez l'effacer. Vous ne pouvez conserver, distribuer, communiquer ou utiliser les renseignements qu'il contient. Nous vous prions de nous signaler l'erreur par courriel. Merci de votre collaboration.

More information about the Users mailing list