See -stable fixes to 4.9. Otherwise consider upgrading 4.9->5.0. -Steve S.
-Steve S. -----Original Message----- From: Georg Buschbeck [open...@thomas-daily.de] Received: Tuesday, 20 Dec 2011, 2:35am To: misc@openbsd.org [misc@openbsd.org] Subject: IPSec VPN dropping packets from time to time Hi, i've two openbsd firewalls running 1x OpenBSD 4.9 (amd64) in our office 1x OpenBSD 5.0 (amd64) in our co location. we have a vpn set up between both locations via /etc/ipsec.conf isakmpd is setup to not read any konfiguration files: === /etc/rc.conf.local === isakmpd_flags="-4 -K -v" === /etc/rc.conf.local === now from time to time the vpn becomes "unavailable", though the established security association is visible via ipsecctl -sa. i don't find anything suspucios in the log only "quick mode done" === /etc/ipsec.conf === ike active esp from $local_net to $remotenet peer $remotepeer \ main auth hmac-sha1 enc aes group modp1024\ quick auth hmac-sha1 enc aes group modp1024\ psk MyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsKMyPsK === /etc/ipsec.conf === are there any hints what would be the best to debug next? as till now i didn't see a pattern there. delete the ruleset manually by solves the probleme temporarily which could be needed more often when forced. === ipsecctl -d -f /etc/ipsec.conf; ipsecctl -f /etc/ipsec.conf === Georg