Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Re: Loss of Connectivity

From: Rafal Kustra (rafal_at_e-steam.com)
Date: Tue Apr 30 2002 - 20:09:03 CEST

Next message: Enrico Jatzkowski: "[Users] SSH Sentinel + X509 Problem"
Previous message: Henry Spencer: "RE: [Users] automatic vs. manual keying"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I'm new to this list.
I have the same problem. The IPsec is between two identical
kernels/freeS/WAN's so it has to be something else.
linux 2.4.9 and FreeS/Wan 1.96.

My home network hangs on ADSL. The IPsec runs on small pentium I box
(server.net) together with iptables firewall + NAT. server.net has two
interfaces: public (to the ADSL modem) and private (192.168.0.1). I work
on the workstation at home (kapitan == 192.168.0.4) behind server.net.

The other side of the tunnel is a single machine at work (no subnet)
with public interface (no DNS entry though).

After fixing some MTU problems, this one still remains. The tunnel gets
up fine and works fine. I NFS mount a volume from work on kapitan at
home (192.168.0.4) and all is dandy. But if I leave it for a while, the
NFS will hang and I cannot ping work from kapitan at home.

BUT if I connect (externally, not through IPSec) to work machine and
ping home through IPSec, NFS comes back and I can ping work again from
kapitan, and all is well for a while.

If I remember correctly "ipsec look" shows tunnel working on both sides
even when it is hanged.

I also (just) hacked it with cron ping job from work to home and so far
so good.

thanks,
rafal

-----------------------------------------------------------------------------------------------------------------------------------------------------

Hi Andy,

You ask,
> After x amount of minutes/hours (I cannot catch it happening)
> the comm through the tunnel breaks. I.e. I send a ping from 10.10.41.x
> to 192.168.2.x and there is no return. If I keep the ping going
> indefinitely and I ssh (not through the tunnel) through the remote
> firewall to the 192.168.2.x subnet and tell it to ping 10.10.41.x and as
> soon I hit enter and the ping returns the conn is restored from
> 10.10.41.x to 192.168.2.x. This is not just a prob with my particular
> FW or kernel ver because I have seen this happen in multiple boxes. I
> have beaten this by setting up a cron job on the remote the system that
> can always connect to ping twice every 15 mins, but this is just a
> workaround. Has anyone seen this??

Yes, when interoperating with other IPSec implementations. Some of these
kill idle tunnels and bring up tunnels at-need. Perhaps the number
of minutes/hours might be related to the peer's lifetime parameters.
Their equivalents are explained in man ipsec.conf.

Cheers,

Claudia

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Enrico Jatzkowski: "[Users] SSH Sentinel + X509 Problem"
Previous message: Henry Spencer: "RE: [Users] automatic vs. manual keying"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST