Re: isakmpd fails without warning

Sat, 14 Jan 2006 15:22:30 -0800 

Hi Jared

I thank you for the response.
Since my posting earlier, the only thing I did to fix it was added the following to my firewalls/vpn servers
pass quick log inet proto udp from <firewalls> port isakmp to <firewalls> keep state pass quick log inet proto udp from <firewalls> port ipsec-nat-t to <firewalls> keep state 

I already had
pass quick log inet proto udp from <firewalls> to <firewalls> port isakmp keep state pass quick log inet proto udp from <firewalls> to <firewalls> port ipsec-nat-t keep state
There is a few other rules which you are all aware of as well that are needed for this to work so I won't mention them
This has kept it up solid now for approx 7 hours. Before it use to drop when it went to reneg the keys. I seen it go down anywhere from 10 minutes to 1 hour.
It was only the 2 locations that had approx 200 tunnels that were failing all the other openbsd 3.5, 3.7 and 3.8 locations were fine
I ran into 1 issue with a 3.7 system and I just ran the patch that is out for isakmpd and it corrected that issue right away. 

All locations will get their chance to run 3.8 soon :)
Well, anyhow, this issue looks corrected and I will also review your recommendation Jared as I don't believe I am running a listen-on at all. 

James
----- Original Message ----- From: "jared r r spiegel" <[EMAIL PROTECTED]> 
To: <misc@openbsd.org>
Sent: Saturday, January 14, 2006 5:07 PM
Subject: Re: isakmpd fails without warning



On Sat, Jan 14, 2006 at 09:20:34AM -0400, James Mackinnon wrote:
I have checked the logs and there is nothing, Isakmpd just stops running. The pid file is still in /var/run and when I try to hup it, it tells me that the 
pid does not exist, thus, Its going and its going fast.


 eg, it starts and dies real quick?

 i've got about 16 interfaces, and isakmpd used to start up and blip away
 similar to what you describe.  in my case, i solved it by just using a
 'listen-on'.  i told it to listen on the physical interface that all my
 tunnels ( 4-ish gre tunnels, 1 tun, 1 gif, a few carp ) actually come in
 on.  if this is an option for you, try just enumerating the physical
 interfaces there ( don't remember, but i think you might need commas ).

 to be sure, you say it works fine with your 100 or so interfaces, and i
 needed to do the listen-on well before that, so maybe it is not the same.

--

 jared

[ openbsd 3.8 GENERIC ( dec 16 ) // i386 ]

Reply via email to