Bug - IPsec KeepAlive

eureka · Oct 22, 2008, 9:58 PM

Hi everyone!
Im using this version:

1.3-ALPHA-ALPHA
built on Mon Oct 6 20:23:59 EDT 2008
FreeBSD 7.0-RELEASE-p5

Setting IP address in IPsec tunnel appears to not ping host.

From looking around the only thing i can figure out is that this is attempting to ping from the WAN interface. If this is the case trying to ping my "internal" address to keep my IPsec up wont work as the wan interface doesn't know how to get to the internal address.

Is there a way to set the interface used to ping?
My current workaround is to setup a cronjob on the pfbox to ping every 10 sec from the internal interface.

i.e. ping -S ping.from.lan.inf to.int.vpn.ip

Please let me know if im just setting this up wrong!

Thanks all.

-Eureka

cmb · Oct 22, 2008, 9:58 PM

what does /var/db/ipsecpinghosts contain?

nocer · Oct 23, 2008, 12:01 AM

Hi

How about you try something more recent build? Many glitches have been addressed in the recent build.

cheers,

eureka · Oct 23, 2008, 9:55 PM

Hi,
Ill upgrade to the latest snapshot asap.
This is what i found in the file you suggested.

|ip.to.ping.here|

e.x.

(ip address that if pinged should initiate the VPN connection.
|10.10.8.77|

-E

@cmb:

what does /var/db/ipsecpinghosts contain?

eureka · Oct 23, 2008, 11:37 PM

Hi All,
I have not yet had a chance to test this again but after doing to update i now see this in /var/db/ipsecpinghosts

|10.10.8.1|3

cmb · Oct 26, 2008, 11:03 PM

That's the problem, the new IPsec doesn't put the source IP in there and hence it isn't used. Will report to the author of the new IPsec code.

eureka · Oct 27, 2008, 8:12 AM

Thanks!
If you want to send me a PM or repost here after any changes are made to this i would be happy to test it for you!

-E

@cmb:

That's the problem, the new IPsec doesn't put the source IP in there and hence it isn't used. Will report to the author of the new IPsec code.