|
||||||||||
On Wed, 2008-08-27 at 21:41 +0200, Manuel Kasper wrote: > On 27.08.2008, at 21:30, Angus MacGyver wrote: > > > The VPN to another site "drops" - I am not sure what is the > > initiator of > > the drop - the remote site's Internet connection dying - or something > > "my" end. > > The next time this happens, and before you restart it by hitting the > apply button, go to /status.php on both m0n0walls (if possible), get > the SPD/SAD output and post it here. It might help figuring out what's > going on... Ah - sorry - one end isn't a m0n0wall ( remote end ) Thanks for giving me details where to look for more details. > > To this end - I have seen the Dead Peer Detection setting - and it was > > blank before - and just now put that to 60 seconds (what the hell - > > worth a try whilst I fire this email off) > > > > Question is - and it ain't in the docs - just what does this do ? > > It's an IPsec feature described in RFC 3706 (http://www.ietf.org/rfc/rfc3706.txt > ) that prevents "dead" SAs (security associations) by exchanging hello > messages (a kind of ping) via IKE when there is no other IPsec > traffic. If no reply is received from the remote end, the SAs are > deleted (so that newer SAs, e.g. for a different remote IP address, > can take over) Aha - cheers. > m0n0wall prefers new SAs over old ones by default, but DPD is still > worth a try (just make sure to enable it on both sides). Well - as both aren't m0n0wall - might be in territory that doesn't work - perhaps I will have to bite bullet and get a m0n0 at this site - it just means another plug and piece of kit to manage - and a router to pusuade to be an adsl modem rather then a router :-/ Cheers AM |