Are you expiring lifetime on bandwidth or time? Probably the defaults of whatever transforms suite you're using.
Try manually defining it? If you expire on time, say...10 minutes, you can tcpdump for udp 500 on either side at the expected time and watch the renegotiation. Maybe UDP packets are getting lost at renegotiation time. I had that problem once with pf where i was exhausing the max default states at 10,000 and new states were being refused with ICMP. ~BAS On Sun, 2005-11-13 at 20:45, James Mackinnon wrote: > Hey everyone > > I am hoping I am posting this to the correct list > > I am running an AMD 2200+ w/ 512mb of ram and all intel pro cards in my main > location. > > I have 14 other locations connecting back to this 1 location and each location > creates 3 tunnels to this system as I have > 3 internal network segments I want available via VPN > > Platforms are: > > Main system: OpenBSD 3.7 Stable > Remote locations: OpenBSD 3.5 and some OpenBSD 3.7 > > at first, all locations come up fine, but then in approx 1 hour, 3 units stop > communicating to the main firewall. > > They all have the same config (minor changes based on location and assigned > ips of course). > > I was planning to finally get rid of my main checkpoint box and complete my > migration to BSD but I had to revert back do to lack of time i had left to go > back in case of an issue. > > > My Main location is on Fiber > All branches on DSL (pretty much same provider) > > My main location has approx 50VPN Connection entries in it. > My Branches connect to 3 VPN's. > > Example branch isakmpd.conf file > > [Phase 1] > 12.12.12.12= peer-loc1 > 13.13.13.13= peer-loc2 > 14.14.14.14= peer-loc3 > > > [Phase 2] > Connections= LOC1-SEG1, LOC1-SEG2, LOC1-SEG3, LOC2-SEG1, LOC3-SEG1 > > [peer-loc1] > Phase= 1 > Transport= udp > Address= 12.12.12.12 > Configuration= Default-main-mode > Authentication= MYSUPERPASS > > [peer-loc2] > Phase= 1 > Transport= udp > Address= 13.13.13.13 > Configuration= Default-main-mode > Authentication= MYSUPERPASS > > [peer-loc3] > Phase= 1 > Transport= udp > Address= 14.14.14.14 > Configuration= Default-main-mode > Authentication= MYSUPERPASS > > [LOC1-SEG1] > Phase= 2 > ISAKMP-peer= peer-loc1 > Configuration= Default-quick-mode > Local-ID= Loc-Network > Remote-ID= loc1-seg1-Network > > [LOC1-SEG2] > Phase= 2 > ISAKMP-peer= peer-loc1 > Configuration= Default-quick-mode > Local-ID= Loc-Network > Remote-ID= loc1-seg2-Network > > [LOC1-SEG3] > Phase= 2 > ISAKMP-peer= peer-loc1 > Configuration= Default-quick-mode > Local-ID= Loc-Network > Remote-ID= loc1-seg3-Network > > [LOC2-SEG1] > Phase= 2 > ISAKMP-peer= peer-loc2 > Configuration= Default-quick-mode > Local-ID= Loc-Network > Remote-ID= loc2-seg1-Network > > [LOC3-SEG1] > Phase= 2 > ISAKMP-peer= peer-loc3 > configuration= Default-quick-mode > Local-ID= Loc-Network > Remote-ID= loc3-seg1-Network > > [loc1-seg1-Network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.20.22.0 > Netmask= 255.255.255.0 > > [loc1-seg2-Network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.20.23.0 > Netmask= 255.255.255.0 > > [loc1-seg3-Network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.20.24.0 > Netmask= 255.255.255.0 > > [loc2-seg1-Network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.20.21.0 > Netmask= 255.255.255.0 > > [loc3-seg1-Network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.20.20.0 > Netmask= 255.255.255.0 > > > [Loc-Network] > ID-type= IPV4_ADDR_SUBNET > Network= 10.20.25.0 > Netmask= 255.255.255.0 > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-3DES-SHA-SUITE > > > My isakmpd.policy file > > Keynote-version: 2 > Authorizer: "POLICY" > Conditions: app_domain == "IPsec policy" && > esp_present == "yes" && > esp_enc_alg != "null" -> "true"; > > > > > I have run isakmpd -L , which I am still reviewing but most errors are below > > Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: giving up on > message 0x3c066800, exchange fw01 > Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: either this > message did not reach the other peer > Nov 13 04:01:14 fw2 isakmpd[16014]: transport_send_messages: or the > responsemessage did not reach us back > > Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to > notification type PAYLOAD_MALFORMED > Nov 13 05:41:46 fw2 isakmpd[16014]: message_parse_payloads: reserved field > non-zero: ca > Nov 13 05:41:46 fw2 isakmpd[16014]: dropped message from fw01 port 500 due to > notification type PAYLOAD_MALFORMED > Nov 13 21:09:52 fw2 isakmpd[3312]: message_recv: invalid cookie(s) > 8710be0bf45687ff 482bbdaf5287d3db > Nov 13 21:09:52 fw2 isakmpd[3312]: dropped message from fw01 port 57834 due to > notification type INVALID_COOKIE > Nov 13 21:11:41 fw2 isakmpd[12205]: message_recv: invalid cookie(s) > 91bd63a6716685f7 439a07ad7e83a2e6 > Nov 13 21:11:41 fw2 isakmpd[12205]: dropped message from fw01 port 500 due to > notification type INVALID_COOKIE > > > > I am lost at this point because the layout is the same, for all firewalls > including the PF config as I built a generic config and deploy to them all > > oh, also, My remote firewalls are running approx 200 states and my main one is > running approx 6000-8000 states, and this is durning low business times, high > business count is hard to determine at this point but I am guessing approx > 20000-40000 > > Anyhow, any suggestions here would be great as it stands right now, I am back > on checkpoint and I am not a fan of it.. I like isakmpd and pf alot and want > it everywhere > > > Thanks in advance > > James
