We have a CentOS 5.5 (vm) with Linux Openswan U2.6.32 installed. On it, we have an IPSec tunnel with a peer that is a cisco asa. The tunnel disconnects every 18 hours (we need the tunnel to stay up all the time).
We have tested many setups at the openswan but currently we have the following configuration:
auto=start
type=tunnel
keyexchange=ike
authby=secret
rightrsasigkey=%cert
leftrsasigkey=%cert
compress=no
esp=aes256-sha1
ike=aes256-sha1-modp1536
pfs=no
ikelifetime=24h
keylife=1h
dpddelay=2
dpdtimeout=1000
dpdaction=restart
rekey=yes
We do not have access to the peer device.
Has anyone faced this issue before?
There is a chance you have some misalignment with the Cisco ASA around one of the tunnel metrics, for example a common misalignment is around the the ipsec session timeout (not the ike session which you configured for 24h)
in this case the missing property from your config is
salifetime=18h
Once both sides are aligned rekey will happen properly
Other suggestions:
a) reduce the dpdtimeout to something much lower that 1000secs (the common setups are between 30 sec to 3 min)
if this doesn't help, you might want to recheck how the ASA is configured making sure it's not set to drop the tunnel every n Kb or when the tunnel is ideal
b) change the dpdaction from restart to restart_by_peer
Related
I have a hosting account with Linux shared hosting account with GoDaddy, recently my ssh access stopped working, this is the error:
Toms-MacBook-Pro:production tom$ ssh tomheather50#192.186.452.73
ssh_exchange_identification: read: Connection reset by peer
This happens on my wifi connection however if I create a mobile phone hotspot and connect through my phone's 3g network I can successfully connect with no errors....
I have contacted GoDaddy support various times over the past 2 days and they have not been much help at all, simply put they have said I should just connect through the mobile network!!
After sending a traceroute to them I got this response.
We are tracking instances of connections dropping and being
intermittent through Level 3 and their IP 4.34.191.254. I noticed
that your connection that is having difficulty is being routed through
this path while the connection that did work is not routing through.
We are reaching out to Level 3 Communications to see if they can
identify and fix this situation. We are seeing more cases like yours
pop up from both Europe and the US. In the meantime I would recommend
using a connection that does not trace through Level 3 if at all
possible.
I'm not sure what means and it staggers me that GoDaddy can not ensure i can connect through my wifi connection !
Any advice, explanation and of course help would be great please guys.
The message indicates an internet connection issue in the Level3 network (i.e. somewhere in between your wifi network/internet provider and the godaddy site). Nothing that either you or godaddy can do to fix it, only Level3 can.
The suggestion is to use an alternate path, which happens when you use the 3G's network provider (instead of your internet provider). By chance I might add - the path between some 3G providers and godadday can still go through Level3's affected network.
Eventually Level3 will fix the issue (large providers usually do that pretty fast) and things will come back to normal.
It's always a good idea to have an alternate provider, your 3G one helped.
BTW: traceroute is the tool to check which path packets go through between your machine and the server you want to reach: https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man8/traceroute.8.html
ssh_exchange_identification: read: Connection reset by peer
After lot of struggle, I fixed the ssh connection refused by simply running the following command.
sudo dhclient
I have very little experience on this so I am asking to see if this is even possible. I have 4 different ADSL connections that each one is connected to one access point so I have 4 total different lans. I provide free hotspot on each access point (same SSID) and the user roaming from one access point to the other as they move into the area. (The area is a long road and the distance beetween each AP is about 100m).
Anyway i saw on the modems the option for dhcp relay so I am asking this.
Can I build a central server (internet accessable) with ubuntu and dhcp server on it and setup the modems to use this as DHCP server? So the user keep the same IP as it moves from one AP to the other. All adsl modems will have the same IP so the gateway will remain same for all networks. I dont know if this is good so I am asking this question just to tell me what is the best way? To build a central server or to leave each modem act as dhcp server
Because my English are not very well I hope you understand my question
Thanks a lot!
This can be done, but I don't know if it will provide any benefit to you:
User comes online from AP1, DHCP discover is received by the modem and relayed to the DHCP server, response is sent back and the user receives and binds to IP.
User crosses the threshold and changes to AP2. Because the media has changed, the user will re-discover and perform the DHCP process again. They will most likely be allocated the same address again (presuming the lease hasn't expired or been administratively removed), but you're still re-binding the IP. Because you are re-binding the IP on the User, any open TCP connections would likely be severed.
I think that this is what you're trying to avoid by allocating the same address across all devices, but please do correct me if I'm wrong.
I'm performing some latency measurements over the Tor network. TO avoid congesting the relays, each run of my test lasts about 15 to 20 minutes, consuming an average bandwidth of 2 kbps.
Because of the way the relay works, my measurements get disrupted because the identity automatically changes every few minutes. I wonder if someone knows how to do these:
Specify the time interval between identity changes. Alternatively, disabling the automatic identity change and allowing me to use vidalia's control panel to change identities manually
Specify an IP address as an exit relay. I edited torrc, setting ExitNodes to an ipaddress, and StrictNode to 1, but after an initial connection to that specific exit relay and 1 http connection to the outside world, no subsequent traffic is routed out of tor.
I unfortunately can't seem to find an answer to my dilemma looking at previous questions. :-/ My setup consists of ubuntu 12.04 lts, installing vidalia and tor using apt-get and firefox connecting to tor using socks via localhost:9050
1) Specify the time interval between identity changes.
Hi Nina, thanks for being careful about the load you put on the network! By default Tor cycles your circuits every ten minutes. You can customize this with the MaxCircuitDirtiness option in your torrc.
2) Specify an IP address as an exit relay.
Tor does not make this particularly easy. Probably the best option would be to extend one of your existing circuits to the desired endpoint. You can do this via stem using the extend_circuit() method.
I have the following problem:
I have Windows 2003 RAS VPN server configured with a single Nic (let's call it LAN1) behind a firewall (lets call it's public address WAN1). PPTP & L2TP ports are forwarded to the Server.
When a client (Windows or LINUX) in a remote network behind a firewall (LAN2) tries to connect to a PPTP VPN on the WAN1 everything goes fine.
When a second client in the same LAN2 tries to connect to the same VPN on the same WAN1 I get an error 629.
It's independant of which machine gets the first connection.
Apparently the problem is also independant of the router/firewall hardware of LAN2 (We have tested it from at least five different types of remote small router/firewalls - linksys, huawey, d-link, etc.)
The firewall WAN1 listens to two internet connections. The problem is independant of which external address the clients are pointing to (even if two different workstations point to different IP addresses to attempt to stablish a vpn).
Inside LAN1, there is no such limitation and multiple workstations connect just fine.
Theres also no limitation from different remote LANs.
Is this a limitation of PPTP protocol?
Thanx in advance.
From your description it sounds like the issue is at the remote end. You mention that when a second user from LAN2 attempts to reach the same VPN server at WAN1 you receive an error.
Depending on the firewall mechanism in use there can be a "limitation" that exists with regard to PPTP connection tracking and multiple VPN connections to the same server address.
Google: pptp multiple connections to same ip
Due to the way in which NAT tracks PPTP connections, specific modules need to be loaded in order to handle multiple connections to a single server.
If it's netfilter based, make sure 'nf_conntrack_pptp' and 'nf_nat_pptp' are loaded.
We're running a Debian with a 2.6.16 kernel, with iptables enabled. The system is running a custom made HTTP proxy, which is subjected to a mild load (it works fine with the same load on other sites). The system comprises of 4 servers that are preceded by a load balancer with virtual IP, which is preceded by an array of 4 ISA 2004 machines, so the basic topology is:
Client -> ISA [1-4] -> Load Balancer -> Our Proxy [1-4] -> The Internet
Occasionally, the ISA will send us a SYN packet, to which no SYN-ACK is being sent. It will try again after 3 seconds, and a third time after another 6 seconds, after which it will report the proxy down, and switch to direct connection. During this time, meaning before, in between and after those 3 SYNs, other SYNs from the same ISA come and are successfully answered to.
A very similar problem is being reported by others (with no solution, however):
All coming from a flavor of Linux called CentOS. It’s peculiarity is in having iptables enabled by default.
http://www.linuxhelpforum.com/showthread.php?t=931912&mode=linear
http://www.centos.org/modules/newbb/viewtopic.php?topic_id=16147
Almost the same: but a bit different:
http://www.linuxquestions.org/questions/linux-networking-3/tcp-handshake-fails-synack-ignored-by-system.-637171/
Also seems to be relevant:
http://groups.google.com/group/comp.os.linux.networking/browse_thread/thread/b1c000e2d65e0034
I suspect iptables to be a culprit, but any additional feedback will be welcome.
Look at the second parameter to the listen call, as mentioned in the first link you posted. It's the maximum number of pending (not accepted yet) connections. According to the listen(2) man page, if the protocol supports retransmission (TCP does), the connection request will be dropped when the queue is full (expecting a later retransmission which will create the connection if there is enough space in the queue again).
Indeed, the iptables turned out to be the culrpit, with the rule that dropped INVALID packets. We still do not know for sure what made iptables to think those SYNs were invalid (no TIME_WAIT for sure, since we did not have any traffic with the same source ports for at least 30 mins prior to the drops).