I'm having a problem with an IPSec tunnel I have configured connecting two networks together. Each firewall is running OpenBSD 3.9. At one end, it's a pair of firewalls running CARP and I've turned off sasyncd to troubleshoot now, because I didn't want to have it interfering and I suspect it may have been causing more problems. Since the primary firewall is staying up without issues, I'm ignoring the backup in my examples.
Essentially, the behavior I'm seeing is that communication over the tunnel is interrupted whenever the Phase 1 SA is timed out. When it hits the soft timeout, a new SA is negotiated and looks fine. As soon as the older Phase 1 SA times out, communication (even just pinging) is interrupted for a minute or less. To confirm that the behavior is related to the timeouts, I've doubled all my timeout times in isakmpd.conf to 7200s for Phase 1 and 2400 seconds for Phase 2. The outages happen roughly half as often now and still correspond in timing to new Phase 1 SA establishments and changeover. I have pf configured on both ends, with altq. Altq isn't dropping any port 500 isakmpd packets (according to pfctl -vvs queue) on either side and only occasional esp traffic under high loads. Both have enough bandwidth reserved and they're given the highest priority in CBQ mode. pf is allowing isakmpd traffic only from the other of our two locations at both sides. I don't suspect that pf or altq is the problem here just because the SAs do get recreated without any obvious problem and traffic is "allowed" at least to proceed through the packet filter normally. However, the problem is exacerbated by higher throughput times during the business day - it usually goes unnoticed (by Nagios) on a weekend or overnight, so altq could be a factor if I need to reserve some bandwidth for more than port 500 and esp traffic. I've been watching SAs with the following procedure from isakmpd's man page: # echo S>/var/run/isakmpd.fifo # cat /var/run/isakmpd.result The flows/routes as reported by ipsecctl -vvs all and netstat -rnf encap don't appear to be interrupted ever - they are always present unless I clear the SA table manually. pflog is logging all dropped packets to /var/log/pflog and I never find any esp or port 500 packets in there except obviously from servers outside our networks. Does anyone have any suggestions for points to investigate? I can provide configuration details about parts of this if anyone has a good place to look. I've already manually configured tunnels with isakmpd.conf (rather than ipsec.conf) in hopes that something would show up in that process, but the same behavior is noticed both ways. -- Regards, Neil Schelly Senior Systems Administrator W: 978-667-5115 x213 M: 508-410-4776 OASIS Open http://www.oasis-open.org "Advancing E-Business Standards Since 1993"
