[Shorewall-users] Need help with IPSEC, net view and shorewal l

Cowles, Steve Steve@SteveCowles.com
Sat, 6 Apr 2002 07:30:38 -0600


> -----Original Message-----
> From: Alois Schneider [mailto:alois@sillian.com]
> Sent: Saturday, April 06, 2002 3:22 AM
> To: Tom Eastep
> Cc: shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] Need help with IPSEC, net view and
> shorewall
>

<SNIP>
 
> Ok, I added the rules *) but the problem still exists. After 
> some time of inactivity I cannot ping across the tunnel and
> get the following errors:
>
 
<SNIP>

> 
> Shorewall:all2all:REJECT:IN= OUT=ipsec0 SRC=x.x.x.x DST=y.y.y.y LEN=328 
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=308
> Pluto[15685]: "Alois" y.y.y.y #3: responding to Quick Mode
> Pluto[15685]: ERROR; "Alois" y.y.y.y #3: sendto y.y.y.y:500 failed in 
> STATE_QUICK_R0. Errno1: Operation not permitted
> Pluto[15685]: "Alois" y.y.y.y #3: ERROR: asynchronous network 
> error report on eth0 for message to y.y.y.y port 500, complainant x.x.x.x:

> Connection refused
> Pluto[15685]: "Alois" y.y.y.y #3: discarding duplicate 
> packet; allready STATE_QUICK_R1
> 

Have you tried decreasing the "keylife" parameter for your connection
profile? i.e. Something like:

keylife=5m

BTW: There are many other relevant (key/rekey) parameters that might help
resolve the problem you have described.

Steve Cowles