[KLUG Members] PIX/FreeS/WAN problems.

[Adam Bultman]

Good morning everybody.  

I have some questions here.  Does anyone else here have some setups for 
VPN tunnels inbetween linux machines and Cisco PIX machines?

I have some customers who have PIXes and the VPNs keep dropping.  

So far, I've been able to whittle down some of the possibilities into a 
couple of.. whatever: 

1. connectivity issues. Maybe their connection is dying and coming back
up, and the tunnel is suffering as a result. 
2.  IKE/tunnel lifetimes.  
FreeS/WAN has a maximum (and current) lifetime of 8 hours while the PIX
has a (max, and current) lifetime of 24 hours.


#1 seems fairly plausible, but I dont' know if it would make the tunnels 
die (and they die a few times a day)
#2.. unproven. We have another customer with a PIX, and when we changed 
the lifetime on our end (their PIX lifetime is 1 hr... wierd) to match 
that of the PIX, things got better. Not *perfect*, but better.


These problems have only arisen in the past few weeks, and I'm wondering 
if there's anything else going on (IOS upgrades?  Attacks?) but I can't 
prove it, since the customer doesn't always know.  I can't just chalk it 
up to 'well, that's the way things go', since I don't like bouncing VPN 
tunnels a few times a day (and no, I will NOT make cron jobs.  
although...)  So does anyone else have this configuration, and if so, do 
you have the same problems? I've googled for a bit, but haven't found 
much.  

Adam


-- 
adamb@glaven.org
[ www.glaven.org ]