On 27.08.2008, at 21:30, Angus MacGyver wrote:
> The VPN to another site "drops" - I am not sure what is the
> initiator of
> the drop - the remote site's Internet connection dying - or something
> "my" end.
The next time this happens, and before you restart it by hitting the
apply button, go to /status.php on both m0n0walls (if possible), get
the SPD/SAD output and post it here. It might help figuring out what's
> To this end - I have seen the Dead Peer Detection setting - and it was
> blank before - and just now put that to 60 seconds (what the hell -
> worth a try whilst I fire this email off)
> Question is - and it ain't in the docs - just what does this do ?
It's an IPsec feature described in RFC 3706 (http://www.ietf.org/rfc/rfc3706.txt
) that prevents "dead" SAs (security associations) by exchanging hello
messages (a kind of ping) via IKE when there is no other IPsec
traffic. If no reply is received from the remote end, the SAs are
deleted (so that newer SAs, e.g. for a different remote IP address,
can take over).
m0n0wall prefers new SAs over old ones by default, but DPD is still
worth a try (just make sure to enable it on both sides).