Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

view
thread

Score:

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

[view in full thread]

From: Marcus Andree <marcusandree@...>

To: Douglas Secco dos Santos <douglas@...>, OpenBSD <misc@...>

Subject: Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on exchange

Date: Thursday, December 6, 2007 - 11:39 am

We've got similar problems about a year ago, when we deployed a
massive installation of vpn/ipsec clients based on isakmpd.

When testing the client robustness to a series of events, like physically
disconnecting network cables, simulating power failures and such, we
saw the same pattern.

Our solution was to use an external program to send simple icmp
packets to our internal network and restart isakmpd once "detecting"
the tunnel is down.

A web search has showed us that tunnel "recreation" is complex and
frequently involves non-standard implemmentations. Sometimes, this
process fails and it should be considered an external watchdog to
be on the safe side.

So we cooked an in-house solution using "monit" to restart isakmpd in
case of failure. Obviously you'll need to define a simple set of rules
to classify a connection as "failed".

<snip>

quoted text> Okey, all vpn comes up normally but.. the problem is:
> At random time, the tunnel turn down and dont come up again !
>

<snip>

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

OpenBSD4.1 IPSEC - transport_send_messages: giving up on exc..., Douglas Secco dos Santos, (Wed Dec 5, 2:16 pm)

Re: OpenBSD4.1 IPSEC - transport_send_messages: giving up on..., Marcus Andree, (Thu Dec 6, 11:39 am)

Navigation

Mail archive search

Popular discussions


linux-kernel:
Al Boldi	Re: [ANNOUNCE] RSDL completely fair starvation free interactive cpu scheduler
Linus Torvalds	Linux 2.6.27-rc8
Jeremy Fitzhardinge	Stolen and degraded time and schedulers
Rene Herman	[PATCH] x86: provide a DMI based port 0x80 I/O delay override
git:
Junio C Hamano	Re: [PATCH] Teach remote machinery about remotes.default config variable
Johannes Schindelin	Re: [PATCH 1/2] Allow git-apply to fix up the line counts
Sam Vilain	Re: Decompression speed: zip vs lzo
Johannes Schindelin	Re: [kernel.org users] [RFD] On deprecating "git-foo" for builtins
linux-netdev:
Wenji Wu	Re: A Linux TCP SACK Question
Jeff Kirsher	[RESEND][NET-NEXT PATCH 07/29] ixgbe: limit small mtu to minimum for ipv4 support
Rémi	[PATCH 00/14] [RFC] Phonet protocol stack
Ivo van Doorn	Re: [PATCH] [PS3] gelic wireless driver needs MAC80211 support
openbsd-misc:
Marco Peereboom	Re: Real men don't attack straw men
chefren	Kuro5hin: OpenBSD Founder Theo deRaadt Has Conflict of Interest With AMD
Don Jackson	How to use (compact) flash cards with OpenBSD
askthelist	Packets Per Second Limit?

Latest forum posts


high memory	21 hours ago	Linux kernel
semaphore access speed	1 day ago	Applications and Utilities
the kernel how to power off the machine	1 day ago	Linux kernel
Easter Eggs in windows XP	1 day ago	Windows
Shared swap partition	1 day ago	Linux general
Root password	1 day ago	Linux general
Where/when DNOTIFY is used?	1 day ago	Linux kernel
How to convert Linux Kernel built-in module into a loadable module	1 day ago	Linux kernel
Linux 2.6.24 and I/O schedulers	1 day ago	Linux kernel
USB Driver -- Interrupt Polling -- A Little Help Please	1 day ago	Linux general

Show all forums...

Recent Tags

Linux 2.6.27-rc8 Linus Torvalds -rc 2.6.27 bugs quote Intel -rc8

more tags

Colocation donated by:

Online users

Mr_Z

Syndicate