View Single Post
  #1   (View Single Post)  
Old 6th September 2011
igy01 igy01 is offline
Port Guard
 
Join Date: Jan 2011
Posts: 20
Default Ipsec strange and annoying problem

I have IPsecs between few OpenBSD machines (release: 4.6, 4.8 $ 4.9). IPsec is working fine for a long time, but here and there (at once, or at twice per day), IPsec traffic just stop. This kind of problem last ussually 17-18 minutes. SAs are still there (or, at least, ipsecctl show that), but traffic cant pass from netA to netB.

I use isakmpd, /etc/ipsec.conf and x509 certificates. There is no nat, no rdr.
Until few months ago, everything worked fine on OBSD 4.5 & 4.6 (So, I think, there is no problem in ipsec.conf or x508).

Any idea?

ps

Yes, I know about SHA, so between same BSD releases I use:

ike esp from $netA to $netB \
local $ipHOSTA peer $ipHOSTB \
main auth hmac-sha2-512 enc aes-256 group modp1024 \
quick auth hmac-sha2-512 enc aes-256 group modp1024

but between pre-4.7 and after-4.7 I use sha1
Reply With Quote