<div class="gmail_extra">Thanks Tuomo. As it turns out I've been using a fairly old version of Openswan and am in the midst of compiling the new one (needs kernel update). The newest version seems to have a lot of bug fixes so I'll give that a shot first.</div>
<div class="gmail_extra"><br></div><div class="gmail_extra">Cheers,</div><div class="gmail_extra">-Chris.<br><br><div class="gmail_quote">On Thu, Apr 26, 2012 at 11:17 AM, Tuomo Soini <span dir="ltr"><<a href="mailto:tis@foobar.fi" target="_blank">tis@foobar.fi</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On Tue, 24 Apr 2012 01:33:15 -0700<br>
Christopher Opena <<a href="mailto:counterveil@gmail.com">counterveil@gmail.com</a>> wrote:<br>
<br>
> Hello folks,<br>
><br>
> First post here and have to say I'm loving Openswan so far! I've<br>
> successfully connected with a Juniper box followed by a Cisco ASA 5500<br>
> (vendor operated), both of which were fairly seamless affairs.<br>
><br>
> I'm running into some issues with the Cisco ASA 5500 though, and<br>
> unfortunately don't have access to it to watch the logs. From my own<br>
> research I have gathered that:<br>
><br>
> - tcpdumps from a host on the vendor side of constant ICMP traffic<br>
> shows that traffic is halted at 03:46AM (see logs below)<br>
> - on my side, ipsec auto --status and /etc/init.d/ipsec status shows<br>
> that the tunnels are up<br>
<br>
</div>That can happen if there is network problem between remote and your<br>
sites. If cisco admin has enabled dpd it does recognize this and try to<br>
renegotiate tunnel - but if you don't enable dpd your tunnel seem to be<br>
"up" while actually other end has already dropped the tunnel and then<br>
try to renegotiate it.<br>
<br>
I'd try to enable dpd.<br>
<br>
dpddelay=60<br>
dpdtimeout=240<br>
dpdaction=hold<br>
<br>
- try with these...<br>
<br>
Another thing is that this conn is aggressive mode - if this is static<br>
tunnel it could be configured with main mode which is much more used<br>
and so more stable than aggressive mode.<br>
<br>
Aggressive mode is not needed for static lan to lan tunnels.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Tuomo Soini <<a href="mailto:tis@foobar.fi">tis@foobar.fi</a>><br>
Foobar Linux services<br>
<a href="tel:%2B358%2040%205240030" value="+358405240030">+358 40 5240030</a><br>
Foobar Oy <<a href="http://foobar.fi/" target="_blank">http://foobar.fi/</a>><br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</font></span></blockquote></div><br></div>