I found that some of my problems are related to 'DELETE' messages from the peer ( cisco ASA's , for example ). There is another thread in this forum discussion this issue.
Hans-Joerg Hoexer said that obsd/isakmpd should handle this case, but he will look into it. I would be interested to know if your problems are related to these 'DELETE' messages from the remote side. I see varying behaviour when these messages come in: . Sometimes the flows are deleted, and any further traffic gives 'no route to host' . Sometimes the flows are still shown ( in ipssecctl -sflow or netstat -rn -f encap ) and I see traffic on enc0, but no encap on the external interface. What do you see, when the connection dies? Regards Christoph > -----Urspr|ngliche Nachricht----- > Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] > Im Auftrag von Christian Weisgerber > Gesendet: Sonntag, 25. Januar 2009 23:10 > An: misc@openbsd.org > Betreff: Re: isakmpd does not initiate quick mode after main > mode is established > > > Christoph Leser <le...@sup-logistik.de> wrote: > > > I'm still struggling to keep my ipsec vpns running smoothly. > > FWIW, I mostly use IPsec on my home WLAN and I observe a > similar lack of reliability. My laptop sets up two IPsec > associations, one IPv4 and one IPv6, and from time to time > one of these or both fail inexplicably (no response, no > proposal chosen) but eventually get established within ten > minutes or so. > > Since this is WLAN, I have considered that packet loss may > screw up the ISAKMP negotiation, but I haven't investigated. > > I wonder how people who run a large number of IPsec > associations in production settings deal with this or if they > are seeing it at all. > > -- > Christian "naddy" Weisgerber > na...@mips.inka.de
