Using OpenSwan (on DevilLinux), I've had the problem that, although the ipsec0 interface was still up and pluto looked ok in /var/log/messages:
The packets were routed correctly through ipsec0 (checked with tcpdump), but nothing came back, and according to pluto's logs nothing was broken and the key was still valid for another 2760 seconds (=46 mins.)Aug 24 16:24:06 src@noawall pluto[2685]: |
Aug 24 16:24:06 src@noawall pluto[2685]: | *time to handle event
Aug 24 16:24:06 src@noawall pluto[2685]: | event after this is EVENT_REINIT_SECRET in 2760 seconds
Aug 24 16:24:06 src@noawall pluto[2685]: | inserting event EVENT_SHUNT_SCAN, timeout in 120 seconds
Aug 24 16:24:06 src@noawall pluto[2685]: | scanning for shunt eroutes
Aug 24 16:24:06 src@noawall pluto[2685]: | next event EVENT_SHUNT_SCAN in 120 seconds
Even stranger: After some time the tunnel seemed to be working again...
[SOLUTION]
I had rekeying turned on and configured (/etc/ipsec.conf):
Code: Select all
rekey=yes
keylife=8h
rekeyfuzz = 50%
rekeymargin = 9mI then wrote a small script that constantly pinged a target host on the other side and wrote its output (including a timestamp for each ping) into a logfile.
After letting that run over the weekend, I immediately saw what went wrong:
The other side had their keylife time set to 1h! And we were cut off after exactly that time, because we re-negotiated the key after 8 hours.
So, after making our settings compatible to the other side's, the tunnel stayed up:
Code: Select all
rekey=yes
keylife=1h
rekeyfuzz = 50%
rekeymargin = 5m