Hosting Provided By

Re: [Users] Problem with Cisco 3000

From: Ken Bantoft <ken(at)freeswan.ca>
Date: Thu Oct 09 2003 - 23:31:20 EDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You might try different values for the Phase 1 / 2 lifetimes.

I wrote about this here:

http://lists.freeswan.ca/pipermail/sfs-dev/2003-April/000171.html

It does apply to both Cisco and Checkpoint, in my experience.

Note: you may need to recompile FS depending on what version you have, to support the large value for ikelifetime.

On Wed, 8 Oct 2003 ipsec@ns1.mailer.org wrote:

> On Mon, 6 Oct 2003, Sam Sgro wrote:
>
> > Where is Mon? You've defined a net-to-net tunnel; gw-to-gw traffic
> > will not be covered, so if it's pinging gateway-to-gateway, it would
> > appear down. You've probably already covered this, however...
>
> Yes, I have set it to run ping properly.
>
> > When the connection "appears" down, the question is: why? Is FreeS/WAN still
> > sending packets? (I would guess so, given the lack of log activity. You could
> > confirm this by a tcpdump.)
>
> ipsec whack --status shows phase 1 and 2 SA established.. no error that I
> am trained to recognize :-)
>
> > Then we move our attention to the Cisco. Why does it ignore packets? Common
> > problem: expired states... but you've already tried one of the fixes to rekey
> > problems: playing with ikelifetime/keylife to ensure FreeS/WAN is always
> > taking the initiative in rekeying. (Though your barf doesn't reflect that
> > change - you may have backed it out.) Also useful in this regard:
> > "rekeymargin".
>
> Will read the docs on that...
>
> > Do you have access to the Cisco's logs/configs? Can you see why it might be
> > dropping packets at 10:00/16:00?
>
> Unfortunately no. the folks on the other end may be able to get that for
> me. when I asked for a copy of the pertenant parts of the config they send
> me 5MB of print screens...
>
> > ... and did your customer's restart of FreeS/WAN fix the connectivity
> > problem?
>
> Yes, the customer restarts the connection and immediatly it works. I have
> a fresh barf during the most recent event here:
>
> http://www.iron-bridge.net/barf2.gz
>
> Best Regards,
>
> --
> Andrew - Iron-Bridge Communications, INC.

-- Ken Bantoft Super FreeS/WAN Maintainer ken(at)freeswan.ca http://www.freeswan.ca PGP Key: finger ken@bantoft.org The future is here. It's just not evenly distributed yet.
- William Gibson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)

Do you need help?

iD8DBQE/higKPiOgilmwgkgRAmEBAJ4p/ABodN8rQcJnQiDT1XzYCq6i2gCfduSr Xr8inGd0/05UK2XDX9dIJ3A=
=LdAX
-----END PGP SIGNATURE-----

FreeS/WAN Users mailing list
users@lists.freeswan.org
https://mj2.freeswan.org/cgi-bin/mj_wwwusr Received on Thu Oct 9 23:41:57 2003

This message: [ Message body ]
Next message: Sam Sgro: "Re: [Users] RPM's"
Previous message: James Harper: "Re: [Users] linux ipsec transport mode + ipip tunnel..."
Maybe in reply to: ipsec(at)ns1.mailer.org: "[Users] Problem with Cisco 3000"
In reply to ipsec(at)ns1.mailer.org: "[Users] Problem with Cisco 3000"
Next in thread: ipsec(at)ns1.mailer.org: "Re: [Users] Problem with Cisco 3000"
Reply: ipsec(at)ns1.mailer.org: "Re: [Users] Problem with Cisco 3000"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:02:04 EDT