Reputation: 25
Openswan IPSec connection (to a cisco asa) disconnects every 18 hours
We have a CentOS 5.5 (vm) with Linux Openswan U2.6.32 installed. On it, we have an IPSec tunnel with a peer that is a cisco asa. The tunnel disconnects every 18 hours (we need the tunnel to stay up all the time).
We have tested many setups at the openswan but currently we have the following configuration:
auto=start
type=tunnel
keyexchange=ike
authby=secret
rightrsasigkey=%cert
leftrsasigkey=%cert
compress=no
esp=aes256-sha1
ike=aes256-sha1-modp1536
pfs=no
ikelifetime=24h
keylife=1h
dpddelay=2
dpdtimeout=1000
dpdaction=restart
rekey=yes
We do not have access to the peer device.
Has anyone faced this issue before?
Upvotes: 0
Views: 1909
Answers (1)
Reputation: 54
There is a chance you have some misalignment with the Cisco ASA around one of the tunnel metrics, for example a common misalignment is around the the ipsec session timeout (not the ike session which you configured for 24h) in this case the missing property from your config is salifetime=18h
Once both sides are aligned rekey will happen properly
Other suggestions:
a) reduce the dpdtimeout to something much lower that 1000secs (the common setups are between 30 sec to 3 min) if this doesn't help, you might want to recheck how the ASA is configured making sure it's not set to drop the tunnel every n Kb or when the tunnel is ideal
b) change the dpdaction from restart to restart_by_peer
Upvotes: 0
Related Questions
- AWS Site to Site VPN Openswan Issue
- OnDemand VPN required for iOS app, randomly disconnects
- Opensips suddenly crash in two-three days running
- WebSocket keeps disconnecting between several time interval
- IPSEC tool Racoon Crashes and can't restart it
- Openswan tunnel not working after network restart
- IPSec tunnel between Cisco ASA and and Linux IPSec (racoon) stops working
- Openswan on EC2 VPC
- Site to site OpenSWAN VPN tunnel issues with AWS
- Site to Site VPN connection between TMG and AWS keeps dropping