11 dec 2009 kl. 17.34 skrev "David DeSimone" <f...@verio.net>:
Jon Otterholm <jon.otterh...@ide.resurscentrum.se> wrote:
If I restart racoon or wait approximately 30 min the connection is
re-established.
Since this is approximately ½of the phase 2 lifetime, you are proba
bly
running into lifetime negotiation issues, or PFS issues.
What would be the obvious way to debug this? Any suggestions on what
to tweak appreciated.
I would turn up the debugging on racoon to get more information around
the time that the tunnel fails.
sainfo (address 192.168.1.0/24 any address 192.168.100.0/24 any)
{
pfs_group 1;
lifetime time 3600 sec;
encryption_algorithm des;
authentication_algorithm hmac_md5,hmac_sha1;
compression_algorithm deflate;
}
My hunch is that you have a PFS mismatch, so that the first tunnel
negotiates, but the second SA negotiation fails, then the third
succeeds, etc.
But wood it not fail more offen then? I have set up a cronjob to ping
a server on the private Networks from the bad-side every 2 minutes and
somethimes it works for days without a single failure.
What debuglevel would be suitable?
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
