On Thu, Mar 06, 2014 at 08:16:34PM +0000, Andy Lemin wrote: > Hi, haven't read your original email but if my assumptions about your setup > are correct is the VPN tunnel dropping every now and then?
Thats correct. Daemons start up quick, negotiations happen, and then periodically the tunnel is just not available, despite the SAs being available on the masters and the slaves. Disabling -S on isakmpd and turning off sasyncd makes the tunnel stay up for much longer, 7 hours and counting. > You need the static route to point to the internal interface to make sure > that packets generated by the firewall itself have a source IP set to the > internal net thus allowing the IPSec policy route to be used (as it defines > both the source and dest net, not just the dest net like a normal route). This I have, and packets flow. Still unclear about which route takes precedence, encap or inet. > We had to modify all our monitoring scripts to not 'phone home' if the box is > a backup. Only the master firewall can use the VPN. I've ended up monitoring the host using internal interface, which in turn tells me the tunnel is available. > I also submitted some suggested modifications to /etc/rc.d/sasyncd and > /etc/rc.d/isakmpd here in the past which makes the setup and failover of VPNs > much faster and more stable. I did see those scripts, though they seem to be more solving the startup time of the daemons. My issue is more keeping the service up than start time. It sounds like your setup is similar to my own. You don't see theses kinds of instability using sasyncd? If you have a look at my OP, the sasyncd.conf is in there. Its possible I have a configuration error, but just reading over the manpage again, I don't know what it would be. This is really troubling me. -- Zach
