search for: keyingtri

https://bugzilla.netfilter.org/show_bug.cgi?id=1082 Bug ID: 1082 Summary: Hard lockup when inserting nft rules (esp. ct rule) Product: nftables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: blocker Priority: P5 Component: kernel Assignee:

...the middle of the night (so I don't believe it's traffic related), certain (and sometimes all) routes will drop. They usually recover after a few minutes, but it's still long enough for our monitoring to detect downtime. The configuration we have on each device is: conn site-a keyingtries=0 keylife=1h ikelifetime=8h left=1.1.1.1 right=2.2.2.2 leftsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} rightsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} pfs=yes auto=start auth...

...an server with a Vyos server via IPSec. I've posted this on the VyOS forums, but haven't had many helpful responses, so I thought I would ask here. http://forum.vyos.net/showthread.php?tid=26504&pid=29703#pid29703 Basically our Openswan configuration is as follows: conn VYOS keyingtries=0 keylife=20m ikelifetime=2h left=<VYOS IP> right=<OPENSWAN IP> leftsubnets={ 10.1.1.0/24,10.1.2.0/24,10.1.3.0/24,10.1.4.0/24,10.1.5.0/24} rightsubnets={10.2.1.0/24,10.2.2.0/24,10.2.3.0/24,10.2.4.0/24} auto=start authby=s...

...p would be to create a tunnel > between the linux box and the FW-1 server. (freeswan / ipsec) I think this would be easier than to tunnel ipsec through from a windows client behind your firewall. Add these config options to your ipsec.conf if you want to connect vom linux to checkpoint: keyingtries=0 pfs=no Currently I try exactly this, migrating from manuall configured iptables/ipsec to shorewall. Your experiences may help me. > I''m fairly new to the linux firewalling and ipsec etc so any > help would > be greatly appreciated. Hope this helps, Frerk Meyer Sy...

...t believe it's traffic > related), certain (and sometimes all) routes will drop. They usually > recover after a few minutes, but it's still long enough for our monitoring > to detect downtime. > > The configuration we have on each device is: > > conn site-a > keyingtries=0 > keylife=1h > ikelifetime=8h > left=1.1.1.1 > right=2.2.2.2 > > > leftsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24} > > > rightsubnets={x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24,x.x.x.x/24}...

...ltroute leftsourceip=192.168.1.97 leftid=@rx1000test leftsubnet=192.168.1.96/28 ike=aes128-md5-modp1024 esp=aes128-md5 right=160.96.97.248 rightsubnet=192.168.1.0/28 rightsourceip=192.168.1.1 type=tunnel pfs=yes keyingtries=0 #Disable Opportunistic Encryption include /etc/ipsec.d/examples/no_oe.conf The IPsec works fine except for the following caveats: 1. Spoke routers cannot ping each other, 2. The cisco has no interfaces for the scope routers so no qos can be done. Linux GRE setup: modprobe ip_gre ip...

Is there a "cookbook" for setting this up? There are examples for setting up a tunnel between two fixed-address networks (e.g. a remote LAN that needs to be "integrated" with a central LAN over IPSec but I can't find anything addressing the other situation -- remote user(s) where the connecting IPs are not known in advance, such as a person with a laptop or smartphone in a