On Fri, Sep 26 2008 at 03:19, Christoph Leser wrote: > This is interesting. We suffer from spurious connection losses since we > started with OBSD ipsec. > Do you have any details what caused your problem, and why setting > DPD-check-interval helped?
The problem was the following : Tunnels were established well but, in case of internet connections problems, the vpn went down and never came up again. Once the vpn went down, the work around was simply to kill isakmpd and restart it. Not very simple when the vpn went down at 2 AM (and users complaining at 8) Analysing an idle VPN connection (we were lucky to have a test environnement), I saw that Cisco 3030 was emitting isakmp_info packets every 20 seconds. I cut the internet link, waited 1 min and then replugged the cable. tcpdump showed that my OpenBSD Box didn't loose its SAs but Cisco 3030 was trying to create new ones. At this point Isakmp daemons on both sides can't talk to each other again. As DPD was enabled on the cisco side and the techs were unable to tell me if it's the standard configuration or not, I found this way to enable DPD on the OpenBSD side. It corrected the problem as both side tryed to restart isakmp negociations after a short internet failure. Claer > > In our environnement (we manage openbsd tunnels to cisco 3030 > > which is out of our scope) we debugged a strange problem when > > the connection goes down. The tunnels won't come back after a > > small link shutdown. > > > > The problem was Cisco 3030 was doing DPD check and not the OpenBSD. > > > > If it's the case for you too, you should add these lines to > > /etc/isakmpd/isakmpd.conf : > > > > --- isakmpd.conf --- > > [General] > > DPD-check-interval= 30 > > --- isakmpd.conf ---
