[Openswan Users] connection dropping.

David McCullough david_mccullough at mcafee.com
Mon Sep 10 19:31:47 EDT 2012 

Jivin dan.cave at me.com lays it down ...
> Hi mitsuo ..
> 
> I don't know if this is significant but how is it possible to have just one IP addresses for your left subnet since it is a network and single IP at the same time as the cidr notation is a/32.. Can you not use a /30 or later? Imposing wondering if this attributes to your random disconnects because the remote end may be confused some how.. 


As someone already pointed out,  the /32 is fine.  Use that all the time for
a single host inside a network.

As for the connections dropping.  I notice you have forceencaps on,
probably because you have a NAT firewall.

Its possible on cheaper NAT routers that they lose the NAT association after
5 minutes or so,  regardless of activity.  Might be something to look for.
If you stop seeing in coming IKE traffic (tcpdump) that would probably
explain it,

Cheers,
Davidm

> -------- Original message -------- Subject: Re: [Openswan Users] connection dropping. From: Mitsuo Yazawa To: users at lists.openswan.org CC: 
> 
> 
> Hi,
>  
> Thank you for helping me.
>  
> I added those lines, disconnects are still happening 
>  
> any more advice?
>  
> Mitsuo
>  
> From: Elison Niven <mailto:elison.niven at elitecore.com>  
> Sent: Thursday, September 06, 2012 10:13 PM
> To: mitsuoyazawa at gmail.com 
> Cc: users at lists.openswan.org 
> Subject: Re: [Openswan Users] connection dropping.
>  
> Hello,
> 
> Why are you not using dpd ? Add this to your conf :
> 
> dpdaction=restart_by_peer
> dpddelay=30
> dpdtimeout=120
> 
> 
> On Thursday 06 September 2012 08:33 PM, Mitsuo Yazawa wrote:
> 
> 
> 	Hi,
> 	 
> 
> 		I have this connection which connects perfectly and all. but it keeps disconecting in random times. I need a way to make it stop disconnecting
> 		this is my setup:
> 		 
> 		conn tunnelipsec
> 		        #CLIENT
> 		        left=<MyIP>
> 		        leftsubnet=10.90.48.10/32
> 		        #REMOTEHOST
> 		        right=<targetIP>
> 		        rightsubnet=10.90.0.0/16
> 		        authby=secret
> 		        auto=start
> 		        compress=no
> 		        type=tunnel
> 		        pfs=yes
> 		        forceencaps=yes
> 		        #PHASE1
> 		        keylife=28800s
> 		        #PHASE2
> 		        phase2=esp
> 		        phase2alg=3des-sha1,aes128-sha1;modp1536
> 		        ikelifetime=1800s
> 		        rekey=yes
> 		        rekeymargin=15m
> 
> 	 
> 	I also added
> 
> 		        force_keepalive=yes
> 		        keep_alive=10 
> 		 
> 		to see if that helped keeping it alive (with no different result)
> 		For now I made my own script to detect disconnection, and restart ipsec service. which has been working but not what I want.
> 
> 	 
> 	any help i would appreciate.
> 	 
> 	Mitsuo
> 
> 	 
> 	
> 	_______________________________________________
> 	Users at lists.openswan.org
> 	https://lists.openswan.org/mailman/listinfo/users
> 	Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> 	Building and Integrating Virtual Private Networks with Openswan:
> 	http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 	
> 
> 
> -- 
> Best Regards,
> Elison Niven
> 

> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Users mailing list