[Openswan Users] Site-to-site with Cisco ASA5500 tunnel stops passing traffic
Christopher Opena
counterveil at gmail.com
Thu Apr 26 16:08:19 EDT 2012
Thanks Tuomo. As it turns out I've been using a fairly old version of
Openswan and am in the midst of compiling the new one (needs kernel
update). The newest version seems to have a lot of bug fixes so I'll give
that a shot first.
Cheers,
-Chris.
On Thu, Apr 26, 2012 at 11:17 AM, Tuomo Soini <tis at foobar.fi> wrote:
> On Tue, 24 Apr 2012 01:33:15 -0700
> Christopher Opena <counterveil at gmail.com> wrote:
>
> > Hello folks,
> >
> > First post here and have to say I'm loving Openswan so far! I've
> > successfully connected with a Juniper box followed by a Cisco ASA 5500
> > (vendor operated), both of which were fairly seamless affairs.
> >
> > I'm running into some issues with the Cisco ASA 5500 though, and
> > unfortunately don't have access to it to watch the logs. From my own
> > research I have gathered that:
> >
> > - tcpdumps from a host on the vendor side of constant ICMP traffic
> > shows that traffic is halted at 03:46AM (see logs below)
> > - on my side, ipsec auto --status and /etc/init.d/ipsec status shows
> > that the tunnels are up
>
> That can happen if there is network problem between remote and your
> sites. If cisco admin has enabled dpd it does recognize this and try to
> renegotiate tunnel - but if you don't enable dpd your tunnel seem to be
> "up" while actually other end has already dropped the tunnel and then
> try to renegotiate it.
>
> I'd try to enable dpd.
>
> dpddelay=60
> dpdtimeout=240
> dpdaction=hold
>
> - try with these...
>
> Another thing is that this conn is aggressive mode - if this is static
> tunnel it could be configured with main mode which is much more used
> and so more stable than aggressive mode.
>
> Aggressive mode is not needed for static lan to lan tunnels.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120426/b42c5b1e/attachment.html>
More information about the Users
mailing list