Go Back   DaemonForums > OpenBSD > OpenBSD Installation and Upgrading

OpenBSD Installation and Upgrading Installing and upgrading OpenBSD.

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 28th March 2012
kbeaucha kbeaucha is offline
Port Guard
Join Date: May 2008
Posts: 36
Default ipsec/isakmpd tunnels dropping after upgrade

We recently upgraded to 5.0 on our main firewall. This upgrade had been postponed for a long time, mainly due to the changes that made newer versions of ipsec incompatible with older versions.

Our main firewall is the passive end of a series of tunnels that terminate in five other locations, and we have multiple tunnels to connect different subnets at each end in many cases.

When we finally took the plunge and upgraded the main firewall, we knew we were going to have to upgrade the remote ends at the same time. In fact, the newer remote end units were configured over a year ago: they are at 4.8

We built the 5.0 system on a new PC, and replaced our old Soekris 4801s with PC Engine Alixs running 4.8 as mentioned.

When we brought the new firewall online, we had some issues with some redirection rules we had, but we didn't touch the rules for the tunnels and all the tunnels came up the first time. Then, over the next few days, we started noticing that the tunnels would drop for a while, then reconnect.

I looked at the ipsec.conf files on both ends and at the man pages and decided that they needed to be cleaned up. For each point-to-point set, they've been reduced to:

ike esp from $local_gw to $remote_gw_a
ike esp from $local_net1 to $remote_net1 peer $remote_gw_a
ike esp from $local_net2 to $remote_net2 peer $remote_gw_a

The main firewall's config also has the "passive" keyword for all the tunnels. The tunnels are initiated from the remote ends.

Even after I did that we are seeing drop outs. The local end's daemon log is full of "isakmpd quick mode as responder" logs.

We're trying to get the people looking after the network infrastructure at the site where we're seeing the most dropouts to check the integrity of their connections, but since this started with our upgrade to 5.0 locally and 4.8 remotely, I suspect the new stuff we've put in.

What can I do to troubleshoot these intermittant dropouts?

Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
IPsec/pf setup denta OpenBSD Security 1 25th May 2012 09:08 PM
isakmp to ipsec badguy OpenBSD Security 3 17th November 2010 10:52 PM
Need Help Please About IPsec wong_baru FreeBSD Security 2 21st June 2010 08:00 AM
Routing between site-to-site tunnels docrice OpenBSD General 5 26th September 2008 09:21 AM
Dropping an install on a fujitsu b142 Azeitonense OpenBSD Installation and Upgrading 6 2nd May 2008 08:23 PM

All times are GMT. The time now is 05:31 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick