[ previous ] [ next ] [ threads ]
 
 From:  "RP Smith" <rpsmith at hotmail dot com>
 To:  jsimoneau at lmtcs dot com, m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] IPSEC VPN lifetime and either end initiation
 Date:  Tue, 14 Jun 2005 12:31:24 -0500
Josh,

I have about 6 IPsec tunnels up 24x7 and have very few problems.  However, 
I'm not using any Mobile Clients.  Also, for this to work you need static 
addresses on both ends or at least addresses the stay the same for months at 
a time. An example of one of my tunnels follows:

WAN
LAN Subnet
192.168.123.0/24
remote gateway's IP
Description of tunnel
aggressive
Domain name xyz.com
Blowfish
SHA1
2
86400
Pre-Shared Key goes here
ESP
Blowfish
SHA1
2
86400

Hope that helps.

Roy...


>From: "Josh Simoneau" <jsimoneau at lmtcs dot com>
>To: <m0n0wall at lists dot m0n0 dot ch>
>Subject: [m0n0wall] IPSEC VPN lifetime and either end initiation
>Date: Tue, 14 Jun 2005 11:09:03 -0400
>
>I've got one site with a central m0n0wall with a vpn accellerator that
>does tunnels to about 8 other locations. I am constantly having problems
>with the VPNs dropping and having to be re-established, though.
>
>Looking at the m0n0wall documentation and several posts here about phase
>1 and phase 2 time settings, it seemed like phase 2 is more of the
>lifetime of the vpn, which would be what I am concerned with. However,
>after reading http://www.onlamp.com/lpt/a/3009 (look for phase 1 and 2
>section) it hints that phase 2 should be longer than phase 1. I am
>confused, can anyone give me some hints as to what is optimal for
>keeping the VPN up as long as possible? Lets say its completely
>non-critical data and that its more important the VPN is up all the time
>than anything else.
>
>Currently when the VPN goes down I have to initiate it again with a
>couple pings. I have the central office m0n0wall setup with everything
>on the 'Tunnels' tab and the remote offices setup with everything on the
>'mobile clients' and 'preshared keys' tabs. I can initiate the
>connection fine from the central office, but not from the remote sites.
>This is nice for convenience and having a central point to bring VPNs
>back up, but it is not great for my remote sites that need to start the
>VPN back up on their own.
>
>Is there any way to have the VPN initiate from either end? Can I
>propigate all three tabs on both ends and have that work? Or will that
>cause problems?
>
>Thanks everyone!
>
>Josh
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>