|
||||||||||
On 27.08.2008, at 21:30, Angus MacGyver wrote: > The VPN to another site "drops" - I am not sure what is the > initiator of > the drop - the remote site's Internet connection dying - or something > "my" end. The next time this happens, and before you restart it by hitting the apply button, go to /status.php on both m0n0walls (if possible), get the SPD/SAD output and post it here. It might help figuring out what's going on... > To this end - I have seen the Dead Peer Detection setting - and it was > blank before - and just now put that to 60 seconds (what the hell - > worth a try whilst I fire this email off) > > Question is - and it ain't in the docs - just what does this do ? It's an IPsec feature described in RFC 3706 (http://www.ietf.org/rfc/rfc3706.txt ) that prevents "dead" SAs (security associations) by exchanging hello messages (a kind of ping) via IKE when there is no other IPsec traffic. If no reply is received from the remote end, the SAs are deleted (so that newer SAs, e.g. for a different remote IP address, can take over). m0n0wall prefers new SAs over old ones by default, but DPD is still worth a try (just make sure to enable it on both sides). - Manuel |