RE: [m0n0wall] netstat and vpn

From:	Fred Wright <fw at well dot com>
To:	m0n0wall at lists dot m0n0 dot ch
Subject:	RE: [m0n0wall] netstat and vpn
Date:	Thu, 19 Aug 2004 14:58:57 -0700 (PDT)

On Wed, 18 Aug 2004, sietze wrote:

>  > My current opinion is that almost all problems with traffic not
>  > passing in spite of good SAs are caused by "orphaned" send SAs whose
> twins have
>  > dsappeared from the receiving end.  Depending on the SA selection
> priority
>  > at the sender, these can be problematic even when properly paired SAs are
>  > also available.
> 
> How would one be able to find these "orphaned" send SAs? In the gui under
> "diagnostics/IPsec/SAD"?

Yes, but you have to look at both ends.  An SA doesn't know that its twin
is missing.  If it did, there wouldn't be a problem. :-)

> In any case, rebooting the m0n0's on each end of the tunnel should get rid
> of any orphaned stuff.

Or even just restarting IPsec.  But that's not always convenient,
especially if one is at a remote location.

					Fred Wright