Home » Mailing list archives » openbsd-misc » 2010 » December » 20

instable vpn after upgrading to 4.8

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Axel Rau
Subject: instable vpn after upgrading to 4.8
Date: Monday, December 20, 2010 - 4:50 am

Hi all,

this ipsec tunnel configuration has 2 endpoints of CARPed pairs of
obsd 4.8 boxes each with pfsync and sasyncd.
After upgrading to 4.8 (stable) the vpn starts blocking in one
direction after 2 days of uptime of the gateway pair.
When this happens, netstat -rn shows flows as usual and ipsecctl -s sa
-v shows no difference of SA, but lifetimes and additional old SAs
during renegotiation.
Usually it helps to reboot CARP slave on the gateway side to fix it
for 1-2 days.
lifetimes are set to defaults in isakmpd.conf.
sasyncd.conf has nothing special:
--------
listen on fxp1 inet port 500
interface carp0
flushmode startup
sharedkey 0xdeadbeefdeadbeefdeadbeefdeadbeef
peer   172.16.127.2
# PR6357: sasyncd(8) treats whitespace after comments as EOF in
sasyncd.conf
# sasyncd.conf at gw1
--------

Any help welcome,
Axel
---
axel.rau@chaos1.de  PGP-Key:29E99DD6  +49 151 2300 9283  computing @
chaos claudius
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
instable vpn after upgrading to 4.8, Axel Rau, (Mon Dec 20, 4:50 am)
Re: instable vpn after upgrading to 4.8, Axel Rau, (Mon Dec 20, 3:54 pm)
Re: instable vpn after upgrading to 4.8, Aaron Stellman, (Thu Dec 23, 11:15 pm)