[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Angus MacGyver <macgyver at calibre dash solutions dot co dot uk>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Dead Peer - not for shooting...
 Date:  Wed, 27 Aug 2008 21:41:39 +0200
On 27.08.2008, at 21:30, Angus MacGyver wrote:

> The VPN to another site "drops" - I am not sure what is the  
> initiator of
> the drop - the remote site's Internet connection dying - or something
> "my" end.

The next time this happens, and before you restart it by hitting the  
apply button, go to /status.php on both m0n0walls (if possible), get  
the SPD/SAD output and post it here. It might help figuring out what's  
going on...

> To this end - I have seen the Dead Peer Detection setting - and it was
> blank before - and just now put that to 60 seconds (what the hell -
> worth a try whilst I fire this email off)
> Question is - and it ain't in the docs - just what does this do ?

It's an IPsec feature described in RFC 3706 (http://www.ietf.org/rfc/rfc3706.txt 
) that prevents "dead" SAs (security associations) by exchanging hello  
messages (a kind of ping) via IKE when there is no other IPsec  
traffic. If no reply is received from the remote end, the SAs are  
deleted (so that newer SAs, e.g. for a different remote IP address,  
can take over).

m0n0wall prefers new SAs over old ones by default, but DPD is still  
worth a try (just make sure to enable it on both sides).

- Manuel