[Openswan Users] Openswan to cisco / SA Expired
Vincent Tamet
vincent.tamet at ilimit.net
Wed Apr 18 10:56:39 EDT 2012
Hi,
Can't find a way to solve the cut down of the tunnel in the cisco side.
So I finally use the ntp in the tunnel to start it, like what the tunnel will always go up (http://www.tomshardware.co.uk/forum/19329-17-make-tunnel-permanent).
Thanks you very much for you help.
Best regards.
----- Mail original -----
De: "Paul Wouters" <pwouters at redhat.com>
À: "Vincent Tamet" <vincent.tamet at ilimit.net>
Cc: users at openswan.org
Envoyé: Vendredi 16 Mars 2012 01:11:00
Objet: Re: [Openswan Users] Openswan to cisco / SA Expired
On Thu, 15 Mar 2012, Vincent Tamet wrote:
>>> Security association lifetime: 4608000 kilobytes/120 seconds
>> An SA lifetime of 2 minutes?? You really don't want. Se it back to the
>> default (prob 1h or 8h)
>
> I change all the timer to very low ones, only in the goal to find the working values.
But as I explained, that creates more problems then it solved, as your
problem was SA's expiring before you got new SA's established.
>
> Because the cisco have a dynamic IP.
>
>>> Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Delete SA payload: deleting ISAKMP State #122
>>> Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received and ignored informational message
>> These could be because of you 2 minute window for the tunnel. It keeps
>> deleting and setting up new tunnels. Set it back to an hour and see if
>> this fixes your issues.
>
> Can't really understand this ! :( I was using this to set up like what (https://lists.openswan.org/pipermail/users/2009-January/015995.html)
(currently there is an issue at the colocation facility so i cannot look
at that posting. But normal values are between 1h and 8h.
>>> rekey=no
>> Yup, you have rekey=no. Change that.
>
> Even if the righ is %any ? (http://lists.virus.org/users-openswan-0511/msg00127.html)
No, sorry. you must keep rekey=yes. I wrote that before I saw your cisco
was on dynamic ip.
>> ikelifetime=2h
>> keylife=8h
>
> Thank you very much I will try right now.
Okay.
>>> dpddelay=10
>>> dpdtimeout=30
>>> dpdaction=hold
>
> I used this to select the dpd (http://lists.virus.org/users-openswan-0511/msg00127.html).
> Do you have some recommandation for the dpd for xdsl line ?
First of all, if your remote endpoint is dynamic, you must use
dpdaction=clear. Because the dynamic IP can be used by others and your
client might appear at a different IP.
For DSL lines, DPD is a double edged sword. If something fills
your DSL line, you will experience packet loss. If the congestion is not
the IPsec tunnel, but other traffic, then DPD packets will be sent. If
the line is congested, they will be dropped, and after a few of those it
will actively restart your tunnel, that is it will kill a perfectly fine
tunnel.
>>> #LOCAL
>>> left=x.x.x.74
>>> leftsubnet=192.1.1.0/23
>>> leftnexthop=x.x.x.73
>>> #REMOT
>>> right=%any
>>> rightsubnet=192.168.2.0/24
>>> auto=start
>>> crypto ipsec security-association lifetime seconds 120
>> Make this longer, like 1h
>
> Thought what it was very well to set it like the openswan one, I mean:
> Openswan:
> ikelifetime=2h
> keylife=8h
> Cisco:
> crypto isakmp policy 1
> lifetime 7200
> crypto ipsec security-association lifetime seconds 28800
> Must I really set this with the same values in the both side ?
No, you should set the cisco time shorter then the openswan times.
That way, openswan is ensured to keep the tunnel up while the cisco
decides to rekey. This is why I said to use 2h on openswan and 1h on
the cisco. It means the tunnel rekeys every hour, but openswan will
keep using existing tunnels for two hours - well before the rekey time
if the cisco.
Paul
--
i l i m i t . . .
Vincent Tamet
vincent.tamet at ilimit.net
ÀREA Infraestructures i Connectivitat
0034 937 333 375
VOLTA 1, 5è
08224 TERRASSA.BCN
La informació inclosa en aquest email és CONFIDENCIAL.En virtut d'allò establert a la Llei 15/1999 i la LSSICE 34/2002, l'informem que les seves dades formen part d'un fitxer automatitzat titularitat d´ILIMIT COMUNICACIONS,S.L. La informació registrada s'utilitzarà per informar-li, per qualsevol mitjà electrònic, de les nostres novetats comercials. Vostè pot exercir els seus drets d'accés, rectificació, cancel·lació i oposició a la següent adreça: C/ VOLTA, 1 5è, 08224 TERRASSA (BARCELONA).En compliment de la Llei 34/2002 d´11 de juliol de Serveis de la Societat de la Informació i del Comerç Electrònic, l'informem que pot revocar en qualsevol moment, de forma senzilla i gratuïta, el consentiment per a la recepció de correu electrònic, enviant un correu electrònic amb la seva sol·licitud a: info at ilimit.cat.
More information about the Users
mailing list