On Wed, 2008-08-27 at 21:41 +0200, Manuel Kasper wrote:
> On 27.08.2008, at 21:30, Angus MacGyver wrote:
> > The VPN to another site "drops" - I am not sure what is the
> > initiator of
> > the drop - the remote site's Internet connection dying - or something
> > "my" end.
> The next time this happens, and before you restart it by hitting the
> apply button, go to /status.php on both m0n0walls (if possible), get
> the SPD/SAD output and post it here. It might help figuring out what's
> going on...
Ah - sorry - one end isn't a m0n0wall ( remote end )
Thanks for giving me details where to look for more details.
> > To this end - I have seen the Dead Peer Detection setting - and it was
> > blank before - and just now put that to 60 seconds (what the hell -
> > worth a try whilst I fire this email off)
> > Question is - and it ain't in the docs - just what does this do ?
> It's an IPsec feature described in RFC 3706 (http://www.ietf.org/rfc/rfc3706.txt
> ) that prevents "dead" SAs (security associations) by exchanging hello
> messages (a kind of ping) via IKE when there is no other IPsec
> traffic. If no reply is received from the remote end, the SAs are
> deleted (so that newer SAs, e.g. for a different remote IP address,
> can take over)
Aha - cheers.
> m0n0wall prefers new SAs over old ones by default, but DPD is still
> worth a try (just make sure to enable it on both sides).
Well - as both aren't m0n0wall - might be in territory that doesn't work
- perhaps I will have to bite bullet and get a m0n0 at this site - it
just means another plug and piece of kit to manage - and a router to
pusuade to be an adsl modem rather then a router :-/