Cowles, Steve
2002-Apr-06 13:30 UTC
[Shorewall-users] Need help with IPSEC, net view and shorewal l
> -----Original Message----- > From: Alois Schneider [mailto:alois@sillian.com] > Sent: Saturday, April 06, 2002 3:22 AM > To: Tom Eastep > Cc: shorewall-users@shorewall.net > Subject: Re: [Shorewall-users] Need help with IPSEC, net view and > shorewall ><SNIP>> Ok, I added the rules *) but the problem still exists. After > some time of inactivity I cannot ping across the tunnel and > get the following errors: ><SNIP>> > Shorewall:all2all:REJECT:IN= OUT=ipsec0 SRC=x.x.x.x DST=y.y.y.y LEN=328 > TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=308 > Pluto[15685]: "Alois" y.y.y.y #3: responding to Quick Mode > Pluto[15685]: ERROR; "Alois" y.y.y.y #3: sendto y.y.y.y:500 failed in > STATE_QUICK_R0. Errno1: Operation not permitted > Pluto[15685]: "Alois" y.y.y.y #3: ERROR: asynchronous network > error report on eth0 for message to y.y.y.y port 500, complainant x.x.x.x:> Connection refused > Pluto[15685]: "Alois" y.y.y.y #3: discarding duplicate > packet; allready STATE_QUICK_R1 >Have you tried decreasing the "keylife" parameter for your connection profile? i.e. Something like: keylife=5m BTW: There are many other relevant (key/rekey) parameters that might help resolve the problem you have described. Steve Cowles