Looks like DPD might be causing some issues so I have tried disabling it on the Fortigate peer, however when looking at the debug messages on the peer I can see that it detects DPD v2 and continues to send DPD messages. Is there a way to disable DPD using ipsecctl so that the peer does not detect it?
Incase you are interested the peer is a Fortigate 300A running version 3.00 build 400. Thanks, -Chris > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: December 6, 2006 9:54 AM > To: Chris Jones > Cc: misc@openbsd.org > Subject: Re: VPN stability issues with a Fortigate peer > > Hi, > try to disable DPD. > I have a tunnel between OpenBSD 4.0 and Fortigate 300A > 3.00MR3 and it doesn't work well with DPD enabled. > > Regards, > Andrea. > > [EMAIL PROTECTED] wrote: ----- > > > To: <misc@openbsd.org> > From: "Chris Jones" <[EMAIL PROTECTED]> > Sent by: [EMAIL PROTECTED] > Date: 06/12/2006 04:35PM > Subject: VPN stability issues with a Fortigate peer > > I'm running the release version or OpenBSD 4.0 on my firewall > and experiencing some odd IPSEC VPN behavior when connecting > to a Fortigate peer. The tunnel will come up just fine but > will randomly go down and then come back up and will continue > this cycle. I am running isakmpd with the -K option and using > ipsecctl to establish flows and SA's. This is what my > ipsec.conf looks like: > > remote_gw = "10.1.1.1" > > flow esp from 192.168.8.1/32 to 192.168.0.0/16 peer > $remote_gw type bypass > > ike dynamic esp from 192.168.8.0/24 to 192.168.0.0/16 peer > $remote_gw \ > aggressive auth hmac-sha1 enc 3des group modp1536 \ > quick auth hmac-sha1 enc 3des group modp1536 \ > srcid [EMAIL PROTECTED] \ > psk sharedsecret > > The peer is DPD capable and enabled with the following settings: > > retry-count: 3 > retry-interval: 5 > > After running isakmpd in debug mode (isakmpd -d -DA=50 -K) > and after running ipsecctl I issued a continuous ping to one > of the hosts at the other side of the tunnel. The ping ran > fine for a period of time andthen stopped. Here is the ouput > from the debug:
