Re: [Ipsec-tools-devel] Tunnel stops working

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi.

On Thu, Apr 03, 2008 at 11:10:49AM -0600, Phillip Hellewell wrote:
> What is the best way to debug the problem of a tunnel that randomly stops
> working (i.e., I can no longer ping hosts on the remote subnet)?

racoon -dd will give you some informations, but also *huge* debug and
some confidential things (preshared keys, identities, IPs, etc...).

tcpdump can also be your friend, and you may also wand to monitor SAs
when they are about to go to dying mode (at 80% of their lifetime).

> If I bring the tunnel down and back up (i.e., redo phase 1 and 2), it starts
> working again.
> 
> I can't determine if it has problems renewing after the lifetime has passed,
> or if it is more random than that.

Does this problem happen at 80% of a phase2's lifetime ?
According to your logs, the first thing I'll check would be phase1
lifetime on both ends.

Yvan.