Sebastian Reitenbach wrote:
quoted text > Hi,
>
> I setup a tunnel between a pix and an openbsd isakmpd to
> connect two networks behind each tunnel endpoint.
> pinging through the tunnel from both sides works, for
> the first 15 minutes. then the ping stops working.
> When I recreate the tunnel, then the ping starts to
> work again. I start isakmpd with isakmpd -k and I use
> ipsecctl to activate the tunnel.
> To work around the problem I added dead peer detection
> to the isakmpd.conf file. It checks every 10 seconds for a
> dead peer, this detects that the tunnel is not in a good
> state, and restarts it. I also found in an old howto that
> I have to create a policy file, that says that the OpenBSD
> box is the initiator of the tunnel.
> I have not found a way to prevent the tunnel to go into
> that bad state. I think I have a problem with rekeying.
> In my eyes activating the DPD is only a
> working on the symptoms, so I assume there must be a better
> way to "fix" the problem.
>
>
> here my isakmpd.conf file:
> [General]
> Listen-on=131.103.56.171
> Default-phase-1-lifetime= 28800,60:86400
> Default-phase-2-lifetime= 1200,60:86400
> DPD-check-interval= 10
> Policy-File= /etc/isakmpd/isakmpd.policy
>
> and here my ipsecctl.conf file:
> ike active esp from 192.168.0.0/24 to 10.1.0.0/24 \
> local $my_gw peer $remote_gw \
> main auth hmac-md5 enc 3des group grp2 \
> quick auth hmac-md5 enc aes group none \
> psk "MyTopSecretKey"
>
> any idea what I can try to prevent the tunnel stop working?
>
> kind regards
> Sebastian
>
>
It will be helpful, if you can give the corresponding PIX configuration as well.
your ipsecctl.conf seems to be good! Can you give us the output of ipsecctl -vv
-sa and tail -f /var/log/{daemon, messages}
Prabhu
-
