[ previous ] [ next ] [ threads ]
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  RE: [m0n0wall] netstat and vpn
 Date:  Thu, 19 Aug 2004 14:58:57 -0700 (PDT)
On Wed, 18 Aug 2004, sietze wrote:

>  > My current opinion is that almost all problems with traffic not
>  > passing in spite of good SAs are caused by "orphaned" send SAs whose
> twins have
>  > dsappeared from the receiving end.  Depending on the SA selection
> priority
>  > at the sender, these can be problematic even when properly paired SAs are
>  > also available.
> How would one be able to find these "orphaned" send SAs? In the gui under
> "diagnostics/IPsec/SAD"?

Yes, but you have to look at both ends.  An SA doesn't know that its twin
is missing.  If it did, there wouldn't be a problem. :-)

> In any case, rebooting the m0n0's on each end of the tunnel should get rid
> of any orphaned stuff.

Or even just restarting IPsec.  But that's not always convenient,
especially if one is at a remote location.

					Fred Wright