Mailinglist Archive: opensuse-security (224 mails)
| < Previous | Next > |
stability problem with VPN between SuSE 8.1 and Cisco PIX515
- From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
- Date: Tue, 11 Feb 2003 00:10:48 +0100
- Message-id: <3E483178.67DDAFC@xxxxxxxxxxxx>
Hello all,
we sucessfully setup up a VPN between two sites with a SuSE 8.1
system on one end and a Cisco PIX 515 on the other.
I take care of the SuSE system ... I use FREES/WAN 1.98b, we
had to use preshared keys because of the policy on the main site,
we have a dial-up on our (remote ) site, with a fixed IP and a callback-
setup via ISDN, we do BOD (2x64k) with ibod. Main site is having
a leased line with 2 MBit and a subnet with 16 "real" ip adresses behind
the router.
The problem: IPSec is talking perfectly to the other site on the first startup.
Tunnel is built up and we can use the systems on the other site perfectly.
But: we have a timeout, so if the line is idle for more than 90 seconds,
we take the dial-up link down. If we take it up now again, the tunnel
is not renegotiated properly, that is, my logs show that freeswan tries, but
does not get the right responses in time. The other site swears, that they
are doing this correctly, I doubt this. As a workaround, I tried to include
the "rcipsec restart" command in the IP-UP and "rcipsec stop" command
in the IP-DOWN skripts of the ISDN link. But I dont think this is very
elegant, I somehow miss a possibility to control the ISDN link from within
FREES/WAN.
Has anybody tried something similar and can advise ?
Thank you in advance, Philipp Rusch
we sucessfully setup up a VPN between two sites with a SuSE 8.1
system on one end and a Cisco PIX 515 on the other.
I take care of the SuSE system ... I use FREES/WAN 1.98b, we
had to use preshared keys because of the policy on the main site,
we have a dial-up on our (remote ) site, with a fixed IP and a callback-
setup via ISDN, we do BOD (2x64k) with ibod. Main site is having
a leased line with 2 MBit and a subnet with 16 "real" ip adresses behind
the router.
The problem: IPSec is talking perfectly to the other site on the first startup.
Tunnel is built up and we can use the systems on the other site perfectly.
But: we have a timeout, so if the line is idle for more than 90 seconds,
we take the dial-up link down. If we take it up now again, the tunnel
is not renegotiated properly, that is, my logs show that freeswan tries, but
does not get the right responses in time. The other site swears, that they
are doing this correctly, I doubt this. As a workaround, I tried to include
the "rcipsec restart" command in the IP-UP and "rcipsec stop" command
in the IP-DOWN skripts of the ISDN link. But I dont think this is very
elegant, I somehow miss a possibility to control the ISDN link from within
FREES/WAN.
Has anybody tried something similar and can advise ?
Thank you in advance, Philipp Rusch
| < Previous | Next > |