On Mon, 2006-07-03 at 03:57 -0700, Clint Pachl wrote: > Agreed, that is not suitable and I don't do that. I guess I > misunderstood the point at which your failure was occurring. I believed > it to be initially or some short time after you started each end point. > In my experience, I am using IPSec to secure wireless clients to an AP. > In my first configuration, all clients and the AP were ike negotiators, > "active," and I was experiencing unspec transport. I changed the > ipsec.conf on the AP only to be a passive ike and ran the set of > commands I mentioned earlier and everything worked. > > I guess I assumed you changed your ipsec.conf, making one end point > passive, hence the set of commands to put every thing in sync. Sorry I > misunderstood.
Well my problems are fortunately restricted to one end point and are random. I mean the tunnel could stay up 2/3 days then could fall randomly, then it come up again randomly some time after the fall, let say it may take from 10-20 minutes to hours. As said, before i setup max-mss on both peers to 1300 i got a lot of DF! packets so i gave guilt to them but even after (without any more fragmented packets) the tunnel keeps on falling, and i cannot see anything strange on the wire. I'm preparing a laptop to be put on the wire before the end point just to capture packets between the end point itself and the ISP's router. > Is the traffic the same on each line? I have had much success with ssh, > http, ftp, and ICMP traffic through my IPSec tunnel, however, X11 seems > to be unreliable. My problems are not with the protocols encapsulated within IPsec, my problems are with the tunnel and the SA falling... Regards -- Massimo
