[ previous ] [ next ] [ threads ]
 
 From:  "C. Andrew Zook" <andrewzook at pdqlocks dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  IPSec Phase Negotiation bringing me down (literally!!)
 Date:  Wed, 12 Apr 2006 07:09:25 -0400 
I have been monitoring Smokeping graphs of the ping times to Tunnels at 
my 5 remote locations, and I have noticed that my Phase 2 key 
negotiations correspond to times on the Smokeping graph where I have had 
high latency and dropped packets (for periods of up to 15 minutes!!).

When I try to use my connection during one of these times, I find that 
it is completely unusable! Either the connection is completely drowned 
out, or the CPU usage is too much for my poor little WRAP board. I can't 
seem to get a handle on what is happening!

When I look in the logs, the Phase 2 negotiation takes up at least 3/4 
of the log page for one negotiation, and it seems rather repetitive, but 
it does not list any errors.

I have done the obvious thing for now and set the Phase 2 lifetime much 
higher (it was at 4 hours, now matches the phase 1 lifetime at 24 hours).

As a background, I have one central location with a static IP. All of 
the other locations have a dynamic IP and are set up as mobile clients.

I am using aggressive mode for negotiation.

Thanks for any tips!
Andy