[ previous ] [ next ] [ threads ]
 From:  Angus MacGyver <macgyver at calibre dash solutions dot co dot uk>
 To:  Manuel Kasper <mk at neon1 dot net>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Dead Peer - not for shooting...
 Date:  Wed, 27 Aug 2008 20:59:04 +0100
On Wed, 2008-08-27 at 21:41 +0200, Manuel Kasper wrote:
> On 27.08.2008, at 21:30, Angus MacGyver wrote:
> > The VPN to another site "drops" - I am not sure what is the  
> > initiator of
> > the drop - the remote site's Internet connection dying - or something
> > "my" end.
> The next time this happens, and before you restart it by hitting the  
> apply button, go to /status.php on both m0n0walls (if possible), get  
> the SPD/SAD output and post it here. It might help figuring out what's  
> going on...

Ah - sorry - one end isn't a m0n0wall ( remote end )
Thanks for giving me details where to look for more details.

> > To this end - I have seen the Dead Peer Detection setting - and it was
> > blank before - and just now put that to 60 seconds (what the hell -
> > worth a try whilst I fire this email off)
> >
> > Question is - and it ain't in the docs - just what does this do ?
> It's an IPsec feature described in RFC 3706 (http://www.ietf.org/rfc/rfc3706.txt 
> ) that prevents "dead" SAs (security associations) by exchanging hello  
> messages (a kind of ping) via IKE when there is no other IPsec  
> traffic. If no reply is received from the remote end, the SAs are  
> deleted (so that newer SAs, e.g. for a different remote IP address,  
> can take over)

Aha - cheers.

> m0n0wall prefers new SAs over old ones by default, but DPD is still  
> worth a try (just make sure to enable it on both sides).

Well - as both aren't m0n0wall - might be in territory that doesn't work
- perhaps I will have to bite bullet and get a m0n0 at this site - it
just means another plug and piece of kit to manage - and a router to
pusuade to be an adsl modem rather then a router :-/