News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  VPN
linktree Topic: any suggestions to improve tunnel stability?
Pages: [1]
Topic: any suggestions to improve tunnel stability?  (Read 1974 times)
« on: January 16, 2008, 23:20:50 »
jcims *
Posts: 2
Hi folks.

I had been running m0n0 1.21 at our main firewall and 1.22 on WRAP for remote offices.  The WRAP firewalls were on cable or dsl, so i'm using the mobile client configuration for the tunnels.  While i was on 1.21 and 1.22, the tunnels were slightly unstable, but usually rebooting both firewalls would bring things back online.

Now i've upgraded the clients to 1.3bx and have had 1.21, 1.3bx and now pfsense on the main firewall (pc-cdrom) and the tunnels are nearly unusuable.  I can reboot both firewalls and sometimes the tunnel will come up, other times it won't.  I can clear the SAD/SPDs on both sides, and sometimes things will work, sometimes they won't.  It's becoming incredibly frustrating, and i haven't changed anything with the config.

I'm not really asking for specific configs, just some ideas

1 - Is it possible to determine exactly why a packet doesn't make it through the tunnel?  Some kind of debug setup?

2 - Are there specific tunnel settings that lend to (or create problems with) stability (negotiation mode, lifetimes, ciphers, etc)

I know this isn't a specific question...i'm just looking for some ideas.

Thanks!
« Reply #1 on: January 17, 2008, 02:35:08 »
ChainSaw
Guest
I would give 1.3b9 a try as it supports IP addresses or Host Names for the IPSec remote gateway.

This config works great for me:

      <tunnel>
         <disabled/>
         <interface>wan</interface>
         <local-subnet>
            <network>lan</network>
         </local-subnet>
         <remote-subnet>192.168.9.0/24</remote-subnet>
         <remote-gateway>64.233.167.104</remote-gateway>
         <p1>
            <mode>aggressive</mode>
            <myident>
               <myaddress/>
            </myident>
            <encryption-algorithm>aes</encryption-algorithm>
            <hash-algorithm>sha1</hash-algorithm>
            <dhgroup>2</dhgroup>
            <lifetime>172800</lifetime>
            <pre-shared-key>A-Strong-Password-Goes-Here</pre-shared-key>
            <private-key/>
            <cert/>
            <peercert/>
            <authentication_method>pre_shared_key</authentication_method>
         </p1>
         <p2>
            <protocol>esp</protocol>
            <encryption-algorithm-option>rijndael</encryption-algorithm-option>
            <hash-algorithm-option>hmac_sha1</hash-algorithm-option>
            <pfsgroup>2</pfsgroup>
            <lifetime>86400</lifetime>
         </p2>
         <descr>IPSEC template</descr>
      </tunnel>

Good Luck!  CS...
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines