See -stable fixes to 4.9. Otherwise consider upgrading 4.9->5.0.
-Steve S.
-Steve S.
-----Original Message-----
From: Georg Buschbeck [open...@thomas-daily.de]
Received: Tuesday, 20 Dec 2011, 2:35am
To: misc@openbsd.org [misc@openbsd.org]
Subject: IPSec VPN dropping packets from time to time
Hi,
i've two openbsd firewalls running
1x OpenBSD 4.9 (amd64) in our office
1x OpenBSD 5.0 (amd64) in our co location.
we have a vpn set up between both locations via /etc/ipsec.conf
isakmpd is setup to not read any konfiguration files:
=== /etc/rc.conf.local ===
isakmpd_flags="-4 -K -v"
=== /etc/rc.conf.local ===
now from time to time the vpn becomes "unavailable",
though the established security association is visible via ipsecctl -sa.
i don't find anything suspucios in the log only "quick mode done"
=== /etc/ipsec.conf ===
ike active esp from $local_net to $remotenet peer $remotepeer \
main auth hmac-sha1 enc aes group modp1024\
quick auth hmac-sha1 enc aes group modp1024\
psk MyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsK
=== /etc/ipsec.conf ===
are there any hints what would be the best to debug next?
as till now i didn't see a pattern there.
delete the ruleset manually by solves the probleme temporarily
which could be needed more often when forced.
===
ipsecctl -d -f /etc/ipsec.conf; ipsecctl -f /etc/ipsec.conf
===
Georg
