Charles
At 09:23 29.09.2004 -0500, Charles Steinkuehler wrote:
Erich Titl wrote:
Hi everybody
I know there has been a thread on this issue, I am losing the default oute regularly on a link with dhcp and ipsec. Typically the default route is taken over by the ipsec interface when this occurs. The proposed solution was always `check the link`. Has anyone made progress in detecting _why_ this happens at all?
Hmm...I must have missed that thread (been busy lately).
It was a while ago and IMHO never really solved.
How regular is "regularly"?
_very_, but after fixing a typo im my proposed solution today it seemed to calm down.
Are you trying to do any opportunistic encryption, or similar?
Nope...
What does your ipsec setup look like?
ipsec.conf:
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions conn %default # How persistent to be in (re)keying negotiations (0 means very). keyingtries=0 # RSA authentication with keys from DNS. authby=rsasig # ike=aes # esp=aes
include /etc/ipsec.d/connections/asp
..........................
/etc/ipsec.d/connections/asp:
conn asp_dmz
also=asp
rightsubnet=195.65.112.96/27
auto=startconn asp
ike=aes
esp=aes
left=%defaultroute
leftsubnet=10.250.7.0/24
leftcert=clientcert.pem
leftrsasigkey=%cert
right=195.65.112.66
rightrsasigkey=%cert
rightid="C=CH,L=Schlieren,O=RUF Gruppe,OU=ASP Plus,CN=greatwall.asp.ruf.ch"
keylife=10m
rekeymargin=3m
rekeyfuzz=150%
Which dhcp client are you running?
dhclient old version....
Have you tried manually renewing your lease, or checking to see if you're loosing your default lease when the dhcp lease gets renewed?
was too afraid of loosing the connection again....:-(
Right now the link is up for several hours and does not seem to come down again :-) I believe fixing /etc/dhclient_enter_hooks did the trick.
Thanks
Erich
THINK P�ntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16
------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
