[ previous ] [ next ] [ threads ]
 From:  "Josh Simoneau" <jsimoneau at lmtcs dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSEC VPN lifetime and either end initiation
 Date:  Tue, 14 Jun 2005 11:09:03 -0400
I've got one site with a central m0n0wall with a vpn accellerator that
does tunnels to about 8 other locations. I am constantly having problems
with the VPNs dropping and having to be re-established, though.

Looking at the m0n0wall documentation and several posts here about phase
1 and phase 2 time settings, it seemed like phase 2 is more of the
lifetime of the vpn, which would be what I am concerned with. However,
after reading http://www.onlamp.com/lpt/a/3009 (look for phase 1 and 2
section) it hints that phase 2 should be longer than phase 1. I am
confused, can anyone give me some hints as to what is optimal for
keeping the VPN up as long as possible? Lets say its completely
non-critical data and that its more important the VPN is up all the time
than anything else.

Currently when the VPN goes down I have to initiate it again with a
couple pings. I have the central office m0n0wall setup with everything
on the 'Tunnels' tab and the remote offices setup with everything on the
'mobile clients' and 'preshared keys' tabs. I can initiate the
connection fine from the central office, but not from the remote sites.
This is nice for convenience and having a central point to bring VPNs
back up, but it is not great for my remote sites that need to start the
VPN back up on their own. 

Is there any way to have the VPN initiate from either end? Can I
propigate all three tabs on both ends and have that work? Or will that
cause problems?

Thanks everyone!