Re: Debugging dropped shell connections over a VPN

[Paul Keusemann]

On 07/07/11 14:39, Chuck Swiger wrote:
On Jul 7, 2011, at 4:45 AM, Paul Keusemann wrote:
My setup is something like this:
- My local network is a mix of AIX, HP-UX, Linux, FreeBSD and Solaris machines 
running various OS versions.
- My gateway / firewall  machine is running FreeBSD-8.1-RELEASE-p1 with ipfw, 
nat and racoon for the firewall and VPN.
The problem is that rlogin, ssh and telnet connections over the VPN get dropped 
after some period of inactivity.
You're probably getting NAT timeouts against the VPN connection if it is left 
idle.  racoon ought to have a config setting called natt_keepalive which sends 
periodic keepalives-- see whether that's disabled.

Regards,

Thanks for the suggestions Chuck, sorry it's taken so long to respond 
but I had to reconfigure and rebuild my kernel to enable IPSEC_NAT_T in 
order to try this out.

One thing that I did not explicitly mention before is that I am routing 
a network over the VPN.

I did not have previously NAT-Traversal enabled nor was it configured in 
my kernel.  After reconfiguring, compiling and installing the new 
kernel, I added the following to the phase 1 configuration for my VPN:

        timer
        {
                # Default is 20 seconds.
                natt_keepalive 10 sec;
        }

        # Enable NAT traversal.
        #nat_traversal on;
        nat_traversal force;

        # Enable IKE fragmentation.
        ike_frag on;

        # Enable ESP fragmentaion at 552 bytes.
        esp_frag 552;

The only immediately noticeable change is that I am no longer getting 
the following warnings at racoon startup:

        WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP 
Invalid argument

I assume this is the result of adding IPSEC_NAT_T to the kernel config.  
My shell connections are still being dropped, so I'm pretty much back to 
square one.

So, any other ideas on how to debug this?

Anybody know how to get racoon to log everything to one file?  Right 
now, depending on the log level, I am getting messages in racoon.log 
(specified with -l at startup), messages and debug.log.  It would really 
be nice to have just one log to look at.

--
Paul Keusemann                                        pkeu...@visi.com
4266 Joppa Court                                      (952) 894-7805
Savage, MN  55378

_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"