stability problem with VPN between SuSE 8.1 and Cisco PIX515
Hello all, we sucessfully setup up a VPN between two sites with a SuSE 8.1 system on one end and a Cisco PIX 515 on the other. I take care of the SuSE system ... I use FREES/WAN 1.98b, we had to use preshared keys because of the policy on the main site, we have a dial-up on our (remote ) site, with a fixed IP and a callback- setup via ISDN, we do BOD (2x64k) with ibod. Main site is having a leased line with 2 MBit and a subnet with 16 "real" ip adresses behind the router. The problem: IPSec is talking perfectly to the other site on the first startup. Tunnel is built up and we can use the systems on the other site perfectly. But: we have a timeout, so if the line is idle for more than 90 seconds, we take the dial-up link down. If we take it up now again, the tunnel is not renegotiated properly, that is, my logs show that freeswan tries, but does not get the right responses in time. The other site swears, that they are doing this correctly, I doubt this. As a workaround, I tried to include the "rcipsec restart" command in the IP-UP and "rcipsec stop" command in the IP-DOWN skripts of the ISDN link. But I dont think this is very elegant, I somehow miss a possibility to control the ISDN link from within FREES/WAN. Has anybody tried something similar and can advise ? Thank you in advance, Philipp Rusch
* Philipp Rusch wrote on Tue, Feb 11, 2003 at 00:10 +0100:
does not get the right responses in time. The other site swears, that they are doing this correctly, I doubt this. As a workaround, I tried to include the "rcipsec restart" command in the IP-UP and "rcipsec stop" command in the IP-DOWN skripts of the ISDN link. But I dont think this is very elegant,
Yeah, I think so, too. I had similar idea when fiddling around with dynamic IPs and can at least tell that this "hack" is stable :)
I somehow miss a possibility to control the ISDN link from within FREES/WAN.
What do you mean with this? Please double check that SuSE is not doing ifconfig ippp0 down ; ifconfig ippp0 up (or it's modern replacements) in ip-up since I think this destroys the ipsec device also, when trying to remove that restart. And drop me a mail when solved, please :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Philipp Rusch
-
Steffen Dettmer