We have a PIX 515e running OS 7 a the hub. A Cisco 2801 on one spoke that's been working reliably.
I just added two SOHO spokes -- one with a Netgear FVX538 VPN router and one with a generic Linux box running CentOS4 using IPSEC Tools (setkey and racoon) to configure the kernel IPSEC support.
Both of the new SOHO spokes work when I first bring them up but then at some point they will independantly stop working.
The Netgear has a gui to monitor the vpn(s). Even though there is only one tunnel to the PIX (IKE policy), I had to configure 5 different VPN policies, one for each subnet in our system. A typical scenario will be that one VPN policy will stop working but the gui presents it as connected. Other VPN policies, using the same IKE tunnel will continue working. Disconnecting the bad VPN policy and then reconnecting it makes it work again.
I think this is the lack of both ends supporting (or configured for) keepalives for a resilant connection. I read somewhere in a cisco doc that it's keepalive mechanism generally only works between two cisco boxes. Is this true? and what is the IPSEC standard way to detect when a link is broken so it can be rebuilt?
Also, what can cause an IPSEC tunnel to go down in the first place? It happens too often to be real connection failures. It will last for 30 minutes to a couple hours.
--BobG
I just added two SOHO spokes -- one with a Netgear FVX538 VPN router and one with a generic Linux box running CentOS4 using IPSEC Tools (setkey and racoon) to configure the kernel IPSEC support.
Both of the new SOHO spokes work when I first bring them up but then at some point they will independantly stop working.
The Netgear has a gui to monitor the vpn(s). Even though there is only one tunnel to the PIX (IKE policy), I had to configure 5 different VPN policies, one for each subnet in our system. A typical scenario will be that one VPN policy will stop working but the gui presents it as connected. Other VPN policies, using the same IKE tunnel will continue working. Disconnecting the bad VPN policy and then reconnecting it makes it work again.
I think this is the lack of both ends supporting (or configured for) keepalives for a resilant connection. I read somewhere in a cisco doc that it's keepalive mechanism generally only works between two cisco boxes. Is this true? and what is the IPSEC standard way to detect when a link is broken so it can be rebuilt?
Also, what can cause an IPSEC tunnel to go down in the first place? It happens too often to be real connection failures. It will last for 30 minutes to a couple hours.
--BobG