[Openswan Users] Routing Issue

David McCullough david_mccullough at mcafee.com
Tue Jun 5 21:09:50 EDT 2012 

Jivin Luis Nagaki lays it down ...
> i do get in the secure log DPD=NONE but i dont think that is the same
> as dpdaction right?

That means DPD is not active IIRC.

> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> > i actually found a site that had a howto for an iphone setup. which is
> > not what i want but i followed it but still nothing works.
> >
> > i have in my vpnclient.conf on the client and server side..file
> > dpdaction=restart_by_peer b/c i have auto=start


Ok,  just in case I have missed something,  also add:

	dpddelay = 15
	dpdtimeout = 30

and see how that goes.

> > when i reboot or restart the service on the client side, the routes
> > are gone. its not until i reboot the service on the server that the
> > routes come back =|.. im ALMOST there.. just need to fix this one
> > thing.

Sounds like you need to get DPD enabled,  and for some reason it isn't.
Check the openswan logs for the SA established lines and see what is
negotiated,

Cheers,,
Davidm



> >
> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
> > <david_mccullough at mcafee.com> wrote:
> >> Jivin Luis Nagaki lays it down ...
> >>> How do i turn it on? Ive looked around for this option w no luck :/
> >>
> >> You need to set "dpdaction" to restart_by_peer for any end-points
> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
> >>
> >> The basic idea is that if the end point you are configuring knows the IP
> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
> >> you want clear.
> >>
> >> You can change the timesouts for DPD if you want but I would just go with
> >> the defaults for now, ??see here:
> >>
> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
> >>
> >> Look for dpddelay, dpdtimeout and dpdaction.
> >>
> >> Cheers,
> >> Davidm
> >>
> >>>
> >>>
> >>>
> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
> >>> <david_mccullough at mcafee.com> wrote:
> >>>
> >>> >
> >>> > Jivin Luis Nagaki lays it down ...
> >>> >> Ok everything is working..
> >>> >>
> >>> >> But.. final thing..
> >>> >>
> >>> >> IF i have the clients connected, and i reboot a client... once it
> >>> >> comes back online the tunnel is created, i can ping the VPN Server
> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
> >>> >> service. I dont want to do this everytime i lose a connection etc.
> >>> >
> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
> >>> > you,
> >>> >
> >>> > Cheers,
> >>> > Davidm
> >>> >
> >>> > --
> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
> >>>
> >>>
> >>
> >> --
> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Users mailing list