Hi, I forgot to mention, I am running OpenBSD 4.1 stable.
Sebastian "Sebastian Reitenbach" <[EMAIL PROTECTED]> wrote: > Hi, > > I setup a tunnel between a pix and an openbsd isakmpd to > connect two networks behind each tunnel endpoint. > pinging through the tunnel from both sides works, for > the first 15 minutes. then the ping stops working. > When I recreate the tunnel, then the ping starts to > work again. I start isakmpd with isakmpd -k and I use > ipsecctl to activate the tunnel. > To work around the problem I added dead peer detection > to the isakmpd.conf file. It checks every 10 seconds for a > dead peer, this detects that the tunnel is not in a good > state, and restarts it. I also found in an old howto that > I have to create a policy file, that says that the OpenBSD > box is the initiator of the tunnel. > I have not found a way to prevent the tunnel to go into > that bad state. I think I have a problem with rekeying. > In my eyes activating the DPD is only a > working on the symptoms, so I assume there must be a better > way to "fix" the problem. > > > here my isakmpd.conf file: > [General] > Listen-on=131.103.56.171 > Default-phase-1-lifetime= 28800,60:86400 > Default-phase-2-lifetime= 1200,60:86400 > DPD-check-interval= 10 > Policy-File= /etc/isakmpd/isakmpd.policy > > and here my ipsecctl.conf file: > ike active esp from 192.168.0.0/24 to 10.1.0.0/24 \ > local $my_gw peer $remote_gw \ > main auth hmac-md5 enc 3des group grp2 \ > quick auth hmac-md5 enc aes group none \ > psk "MyTopSecretKey" > > any idea what I can try to prevent the tunnel stop working? > > kind regards > Sebastian
