Hi,
try to disable DPD.
I have a tunnel between OpenBSD 4.0 and Fortigate 300A 3.00MR3
and it doesn't work well with DPD enabled.
Regards,
Andrea.
[EMAIL PROTECTED] wrote: -----
To: <misc@openbsd.org>
From: "Chris Jones" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
Date: 06/12/2006 04:35PM
Subject: VPN stability issues with a Fortigate peer
I'm running the release version or OpenBSD 4.0 on my firewall and
experiencing some odd IPSEC VPN behavior when connecting to a Fortigate
peer. The tunnel will come up just fine but will randomly go down and
then come back up and will continue this cycle. I am running isakmpd
with the -K option and using ipsecctl to establish flows and SA's. This
is what my ipsec.conf looks like:
remote_gw = "10.1.1.1"
flow esp from 192.168.8.1/32 to 192.168.0.0/16 peer $remote_gw type
bypass
ike dynamic esp from 192.168.8.0/24 to 192.168.0.0/16 peer $remote_gw \
aggressive auth hmac-sha1 enc 3des group modp1536 \
quick auth hmac-sha1 enc 3des group modp1536 \
srcid [EMAIL PROTECTED] \
psk sharedsecret
The peer is DPD capable and enabled with the following settings:
retry-count: 3
retry-interval: 5
After running isakmpd in debug mode (isakmpd -d -DA=50 -K) and after
running ipsecctl I issued a continuous ping to one of the hosts at the
other side of the tunnel. The ping ran fine for a period of time andthen
stopped. Here is the ouput from the debug:
