[ previous ] [ next ] [ threads ]
 From:  Odette Nsaka <odette dot nsaka at libero dot it>
 To:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] IPsec Tunnel DPD does not work
 Date:  Tue, 22 Feb 2011 17:33:05 +0100
I have the same issue with PfSense and maybe the problem you are
discussing is the same. So I'm going to write about PfSense hoping that
this will be helpful. 

Maybe the problem in PfSense is related to the configuration file
racoon.conf where  "remote" is specified as the IP address even if in
the web configuration panel I only use the DynDNS FQDN.

Also in psk.txt the preshared key is associated to the IP and not to the
FQDN. This means that every time the dynamic IP changes the racoon
configuration is wrong. If you re-save the IPSec configuration via the
web interface, the configuration files are updated to the new IP, racoon
is restarted and everything works fine until the next IP change.

Is it possible that DPD does not force:
- a new DNS resolution of the FQDN remote gateway of the tunnel
- the update of racoon.conf and psk.txt with the new IP
- racoon restart with the new configuration?


Il giorno mar, 22/02/2011 alle 22.36 +0800, Heinz Teichmann ha scritto:

> ________________________________________
> From: René Moser [mail at renemoser dot net]
> Sent: Tuesday, 22 February 2011 9:38 PM
> To: m0n0wall at lists dot m0n0 dot ch
> Subject: [m0n0wall] IPsec Tunnel DPD does not work
> Hi
> I am using 2 m0n0walls behind 2 dyn IPs (WAN). I am using DynDNS on both
> systems. Both systems receiving a new IP every ~24h. (DynDNS default TTL
> of CNAME is 60s)
> I configured an IPsec tunnel on both systems, running fine. But after IP
> change, the tunnel is dead. My IPsec config has a DPD of 60s (default).
> When I restart racoon (disable/enable IPSec), the tunnel is up again
> immediately.
> I am expecting m0n0wall should detect the dead pear and restart the tunnel.
> Am I wrong? Or what does DPD (Dead Peer Detection) stand for?
> --
> René Moser
> Hi,
> I mentioned this a couple of times but there are arguments about whether there is a problem or
not. I think unless somebody implements a timer to restart racoon or a new version of racoon there
is no fix for it. I tried a lot and gave up in the end. Others reported that they got it working but
I had Monowall behind three Dynamic DNS sites and it never worked. I always had the problem you
mentioned above. Cable sites are different since they usually get the same IP again after the
reconnect. So the Tunnel can be up for a couple of weeks. Not reliable though because as soon as you
get a new IP you have the same problem there.
> If you need the functionality of Monowall but don't want to spend money for checkpoint or
something like that you can still enable external ssl access and fix the tunnels if required. It's a
pain in the ass though. I changed all sites to a different product and kept the monowalls for
further testing.
> Cheers
> Heinz
> www.thewest.com.au
> ------------------------------------------------------------------------------------
> West Australian Newspapers Group
> ------------------------------------------------------------------------------------ 
> Privacy and Confidentiality Notice
> The information contained herein and any attachments are intended solely for the named recipients.
It may contain privileged confidential information.  If you are not an intended recipient, please
delete the message and any attachments then notify the sender. Any use or disclosure of the contents
of either is unauthorised and may be unlawful. Any liability for viruses is excluded to the fullest
extent permitted by law.
> Advertising Terms & Conditions
> Please refer to the current rate card for advertising terms and conditions.  The rate card is
available on request or via www.thewest.com.au/ratecard
> Unsubscribe
> If you do not wish to receive emails such as this in future please reply to it with "unsubscribe"
in the subject line.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Odette Nsaka <odette dot nsaka at libero dot it>