> On the employee VPN server, which gets a lot of traffic, about once a week
> -- sometimes more, somtimes less -- I'm having to kill the racoon daemon,
> flush setkey databases, and restart racoon.  (The employee VPN concentrator
> is being tested with 10 endpoint tunnels.)

Maybe you could describe your exact symptoms.

Well, after a week (sometimes more, sometimes less), all the VPN tunnels go dead.  I don't know why yet.  Sometimes I have to "kill -9" the racoon process in order for it to die, sometimes I don't.  Sometimes I have to flush the setkey databases before I restart racoon (or the VPNs don't come back up) and sometimes I don't.

Also, it seems that about once a week at least one of the Netgears needs to be restarted because it looses its tunnel.  I assume this has nothing to do with our racoon servers and everything to do with the Netgears desperately needing fixes to their firmware.  In these cases, the VPN server and all other clients are happy as can be.

When all of the tunnels are dropped, logs don't have any information.  Should I turn on more verbose logging (I suspect I should [but I also suspect I won't get any additional info as to the problem with verbose logs])?

Here's the configuration of the server:

remote anonymous {
        exchange_mode main, aggressive, base;
        passive on;
        nat_traversal on;
        generate_policy on;
        lifetime time 24 hour;
        proposal {
                dh_group modp1024;
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
sainfo anonymous {
        pfs_group modp1024;
        lifetime time 8 hour;
        encryption_algorithm aes, aes 192, aes 128, twofish, blowfish 448, 3des, des;
        authentication_algorithm hmac_sha1, hmac_md5;
        compression_algorithm deflate;

I don't think anybody here will tell you that racoon's supposed to be
unstable.  We try to attain the best possible quality, and we'll try to
look into any bug you may encounter.

 I didn't figure it was supposed to be unstable.  :)

Even if we all currently lack time...  :}

Your time is muchly appreciated.  Believe me I understand everybody's constraints.

Any suggestions (besides increasing log output, which I will do) as to where or who I should look into this so I can report better details to the list?

Thanks much,