Hi, > > > > > > I setup a tunnel between a pix and an openbsd isakmpd to > > > connect two networks behind each tunnel endpoint. > > > pinging through the tunnel from both sides works, for > > > the first 15 minutes. then the ping stops working. > > > When I recreate the tunnel, then the ping starts to > > > work again. I start isakmpd with isakmpd -k and I use > > > ipsecctl to activate the tunnel. > > > To work around the problem I added dead peer detection > > > to the isakmpd.conf file. It checks every 10 seconds for a > > > dead peer, this detects that the tunnel is not in a good > > > state, and restarts it. I also found in an old howto that > > > I have to create a policy file, that says that the OpenBSD > > > box is the initiator of the tunnel. > > > I have not found a way to prevent the tunnel to go into > > > that bad state. I think I have a problem with rekeying. > > > In my eyes activating the DPD is only a > > > working on the symptoms, so I assume there must be a better > > > way to "fix" the problem. > > > > > >
I just saw this statement on the 42.html page: Fixed isakmpd(8) interop-issues with peers, that start rekeying on port 4500 for NAT-T (e.g. Cisco, Openswan) well, I see isakmpd listening on port 4500, but I do not have NAT-T specially configured. Not sure for what I need to look in the logs. any idea whether this could be my problem? kind regards Sebastian
