Koozali.org: home of the SME Server

Legacy Forums => General Discussion (Legacy) => Topic started by: roballen on April 14, 2004, 05:07:41 PM

Title: IPSEC Timeout
Post by: roballen on April 14, 2004, 05:07:41 PM

Hi

I am currently running two 5.6 servers. Both are fully patched, and have the freeswan IPSEC software installed.

They both seem to work well, and I operate a tunnel between the two boxes to link two remote offices together.

When in use it all works fine, however if the link is left unused for approx 20 minutes the tunnel seems to drop!

Drop is perhaps misleading, as the routes, and ipsec eroute show everything is correct however I have to run a ping across the tunel to 'liven' it up. Any telnet sessions running at the time, timeout.

Quite confusing. I have not noticed anything odd in any logs. Wondered if anyone else has had this problem, or should I start goolging?

Thanks for any help

Rob

Title: IPSEC Timeout
Post by: Guest on April 15, 2004, 06:05:27 PM

Had the same problem.

One or maybe both of your 5.6 is probably behind a firewall or natting router, is it not?

After 20 minutes, not the tunnels are dropped (ipsec eroute is ok), but the traffic is stopped by the firewall. Packets just don't arive.

Test: If you keep a ping going:
ping -I internalipmyserver -i 300 internalipotherserver
This will ping the other net every 5 minutes. If that keeps the traffic going, then you have a firewall in the way.

Another test: if the traffic is blocked, try pinging eachother at the same time (from both nets). This should open new connections and get the traffic flowing again. There is nothing wrong with your tunnels...

The problem is connection-tracking. The firewall allows incoming traffic if it's for a registered established connection. If that times out (20 minutes or so of inactivity), new packets are blocked.

Solution: get rid of the firewall

Hope this helps,

Richard

Title: IPSEC Timeout
Post by: Anonymous on April 26, 2004, 12:29:58 AM

Hey Richard.

Thanks for the reply. I came to a similar solution, added a cron job to run a ping every five minutes.

The only firewall is the one within SME itself.

Unsure why it has only suddenly started, but the ping's have sorted it.

Rob

Title: IPSEC Timeout
Post by: Medimo on April 26, 2004, 09:26:25 AM

Not a very nice solution.
It gets the job done, though...

Are you sure there is no dsl-modem, router or other firewall?

The ipsec-contrib of devinfo will open udp 500, so there is no timeout possible on that one.

grz,

Richard