[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] 1.2b1 IPsec SA issues
 Date:  Fri, 8 Oct 2004 15:44:42 -0400
Well I've beat the hell out of this problematic VPN connection, and
have only taken it down once.

The one time was after a couple gig of data transferred over it over a
period of about 10-12 hours.  But it didn't go down until about 8
hours after the heavy transfer.  Checked the SA's, and had 16 with src
PIX dst m0n0, one in the opposite direction.  Deleted all the SA's on
the connection and it came right back.

1 hour later, some heavy transfer (about 250 MB), had 3 SA's src PIX
dst m0n0.  Connection still fine.

19 hours later, probably 500 MB total transfer since the connection
came back up, there are 5 SA's, src PIX dst m0n0.

I just turned off the prefer newer, per Fred's instructions.

$ sysctl -w net.key.preferred_oldsa=1
net.key.preferred_oldsa: -30 -> 1

And I deleted all the SA's for that connection, so I have the normal 1
in each direction right now.

Beating it up again and will report back.  I haven't been able to make
it go down while stressing it other than that one time I mentioned,
and I've beat it up pretty bad in the last week.

The byte limit on the PIX is 50,000 KB, and it seems to create a
duplicate SA for approximately every 100-125 MB of data transferred,
though that has varied to some extent.