On Mon, 2006-07-03 at 00:51 -0700, Clint Pachl wrote: > Are both end points trying to negotiate? Try using the "passive" keyword > on one endpoint: "ike passive esp ..."
Yes both active. Does that should cause problems? > I have experienced the same issue. I don't know the details of what > exactly is happening, however, it seems to be a synchronization problem. > Here's what I have done to get rid of the "unspec transport" and setup > the proper flows and SAs: > > Execute on the "passive" box first, then the other: > # ipsecctl -F > # echo R > /var/run/isakmpd.fifo > # ipsecctl -f /etc/ipsec.conf I know how to put it up again and i actually use -d just to keep up others tunnel. Anyway you're telling me that every time your tunnel fall you are there to cast that command to bring it up again? That's not suitable... : What i really want to know (investigate) is what is causing this drops since they happen just on one line not in the other and the devices are all the same just as the OpenBSD version. To add infos i just dropped down the max-mss size to a lower value cause i was seeing a lot of DF! packets without that setting and now all packets aren't fragmented by the routers between my peers. Again i'm not so sure how this is related but digging through the problem i've discovered that the time the tunnel fall is near the time the ISP's router is negotiating its own wan IP address through PPPoA with the ISP's kerberos server. Does this sound resonable or it is totally unrelated? > > Also, make sure all IP addresses in ipsec.conf are reachable; check > netstat -rnfinet. Double checked. Thanks for your time -- Massimo
