search for: ikelifetim

...elieve it's traffic related), certain (and sometimes all) routes will drop. They usually recover after a few minutes, but it's still long enough for our monitoring to detect downtime. The configuration we have on each device is: conn site-a keyingtries=0 keylife=1h ikelifetime=8h left=1.1.1.1 right=2.2.2.2 leftsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} rightsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} pfs=yes auto=start authby=secret dpddelay=30 dpdt...

Centos 5 is also a bit old os. Is it possible to use newer version? (like centos 7 or centos 6?) Eero 2016-02-09 19:52 GMT+02:00 Gordon Messmer <gordon.messmer at gmail.com>: > On 02/09/2016 07:04 AM, John Cenile wrote: > >> does anyone have any suggestions on what the problem might be? >> > > Not off the top of my head, but if I were you, I'd enable debugging

https://bugzilla.netfilter.org/show_bug.cgi?id=1082 Bug ID: 1082 Summary: Hard lockup when inserting nft rules (esp. ct rule) Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: blocker Priority: P5 Component: kernel Assignee:

...5 is really near of it's end of life. There is not much updates to kernel or openswan. You should at least try latest openswan version. Your issue looks like a bit network problem. -- Eero 2016-02-10 8:34 GMT+02:00 John Cenile <jcenile1983 at gmail.com>: > So lowering the keylife / ikelifetime didn't solve the problem. I've > enabled debugging and I'll see what it says. > > Unfortunately we can't (easily) upgrade CentOS, do you believe that would > make a huge difference though? Are the newer versions of OpenSwan *that > *much > more reliable? > >...

...'ve posted this on the VyOS forums, but haven't had many helpful responses, so I thought I would ask here. http://forum.vyos.net/showthread.php?tid=26504&pid=29703#pid29703 Basically our Openswan configuration is as follows: conn VYOS keyingtries=0 keylife=20m ikelifetime=2h left=<VYOS IP> right=<OPENSWAN IP> leftsubnets={ 10.1.1.0/24,10.1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.5.0/24} rightsubnets={10.2.1.0/24,10.2.2.0/24,10.2.3.0/24,10.2.4.0/24} auto=start authby=secret dpddelay=30 dpdtimeou...

So lowering the keylife / ikelifetime didn't solve the problem. I've enabled debugging and I'll see what it says. Unfortunately we can't (easily) upgrade CentOS, do you believe that would make a huge difference though? Are the newer versions of OpenSwan *that *much more reliable? On 10 February 2016 at 04:58, Eero Vo...

...and sometimes all) routes will drop. They usually > recover after a few minutes, but it's still long enough for our monitoring > to detect downtime. > > The configuration we have on each device is: > > conn site-a > keyingtries=0 > keylife=1h > ikelifetime=8h > left=1.1.1.1 > right=2.2.2.2 > > > leftsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} > > > rightsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} > pfs=yes > auto=start >...

...not much > updates to kernel or openswan. You should at least try latest openswan > version. > > Your issue looks like a bit network problem. > > -- > Eero > > 2016-02-10 8:34 GMT+02:00 John Cenile <jcenile1983 at gmail.com>: > > > So lowering the keylife / ikelifetime didn't solve the problem. I've > > enabled debugging and I'll see what it says. > > > > Unfortunately we can't (easily) upgrade CentOS, do you believe that would > > make a huge difference though? Are the newer versions of OpenSwan *that > > *much >...