From: Danny K. <dk...@su...> - 2011-02-10 22:16:56
|
Hello, We're currently running ipsec-tools-0.7 to setup an IPsec VPN Tunnel between our Linux box and a Juniper device. We can establish the tunnel just fine and pass traffic both ways, however we are having an issue with the SPD entries just randomly disappearing which results in traffic not being able to go out the tunnel . The tunnel still looks like it's up, there's nothing in the racoon.log to indicate the tunnel is going down, just looks like the policies are vanishing. This only happens every few days with no pattern that we can see and a restart of racoon is required to bring it back up. We've been unable to reproduce this problem - before I get into details of our configuration and that sort of thing, I was wondering if anyone had ever heard of the SPD entries disappearing like that? If so, any idea what could cause this? If someone's able (and willing) to help, I can go into detail with our configuration and that sort of thing but I'm hoping to find out if someone's at least heard of this before. Regards, -Danny |
From: VANHULLEBUS Y. <va...@fr...> - 2011-02-14 13:49:10
|
On Thu, Feb 10, 2011 at 02:16:50PM -0800, Danny Korte wrote: > Hello, Hi. > We're currently running ipsec-tools-0.7 to setup an IPsec VPN Tunnel between > our Linux box and a Juniper device. > > We can establish the tunnel just fine and pass traffic both ways, however we > are having an issue with the SPD entries just randomly disappearing which > results in traffic not being able to go out the tunnel . The tunnel still > looks like it's up, there's nothing in the racoon.log to indicate the tunnel > is going down, just looks like the policies are vanishing. This only > happens every few days with no pattern that we can see and a restart of > racoon is required to bring it back up. A restart of racoon ? Are your SPD entries "static" (generated at startup by setkey, without any lifetime) or dynamic (generated by racoon's generate_policy option) ? The main reasons of such thing could be a DELETE_SA sent by peer or different lifetime on both peers if SPD entries have been generated by racoon. If your SPD entries are static, that's probably a kernel issue. Yvan. |