Hi there,<br><br>I post this message to have some advices on an issue we have with a setup we implemented.<br><br>|Oswan + Radius Srv|----(icmp/radius)----|Pix|----|Radius Server|<br><br>We successfully built a tunnel to cisco box, we allow on this tunnel only icmp and radius traffic thanks to the right/leftprotoport= statement.<br>So we have one phase1 (isakmp) SA and 5 phase 2 (ipsec) SA established.<br><br>The next step is to implement DPD, so after digging on the web, mailing list archives... we found a configuration that works pretty fine in the most of the cases of failure... except one :(<br><br>If we switch off the pix or if we unplug the network cable from the pix for a while and then restart/plug back the cable, DPD does it job, detecting the failure, removing the SAs and trying to renegotiate the lost SAs.<br>The problem we have then, is that only one SA (random) is renegotiated and brought up automatically.<br>We need to have all the SA renegotiated and up, even
after a network failure.<br>Even if we try to send some traffic in the tunnel, the SA are not renegotiated.<br><br>What i can't understand, is why only one SA on the 5 SAs is brought up back, same for eroute, only one up, others are in hold or trap status...<br><br>The renegotiation does not fail, it is simply not initiated :/<br><br>I have seen in a recent post that we can adapt the _updown script to add "ipsec auto --replace conn" and "ipsec auto --up conn" but i did not succeed to find the correct way to achieve this :(<br><br>Any ideas are welcome.<br>Thanks for your help !<br><br>ipsec verify<br>Checking your system to see if IPsec got installed and started correctly:<br>Version check and ipsec on-path [OK]<br>Linux Openswan 2.4.7 (klips)<br>Checking for IPsec support in
kernel [OK]<br>Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>Checking that pluto is running [OK]<br>Two or more interfaces found, checking IP forwarding [OK]<br>Checking NAT and MASQUERADEing [OK]<br>Checking for 'ip'
command [OK]<br>Checking for 'iptables' command [OK]<br>Opportunistic Encryption Support [DISABLED]<br><br><br>Here are the conf files in use :<br>========================<br>/etc/ipsec.conf<br>========================<br>...<br>include /etc/ipsec.d/ipsec.*.conf<br><br>conn common<br>
authby=secret<br> type=tunnel<br> auto=add #We use a script to bring up the SAs in // @ startup<br> compress=yes<br> dpddelay=30<br> dpdtimeout=10<br> dpdaction=restart<br> # Left security gateway, subnet behind it, next hop toward right.<br> left=10.0.1.124<br> leftsubnet=10.0.1.123/32<br> leftnexthop=10.0.1.254<br><br>========================<br>Conn Specific configuration file<br>========================<br>conn cisco_SP_AUTH<br> also=common<br>
pfs=no<br> keyexchange=ike<br> ike="3des-sha-modp1024"<br> ikelifetime=28800<br> esp="3des-md5"<br> keylife=3600s<br> # Left security gateway, subnet behind it, next hop toward right.<br> leftprotoport="17/1814"<br> # Right security gateway, subnet behind it, next hop toward left.<br> right=X.Y.Z.52<br> rightsubnet=X.Y.Z.57/32<br> rightprotoport="17/1812"<br><br>conn cisco_SP_ACCT<br> also=common<br>
pfs=no<br> keyexchange=ike<br> ike="3des-sha-modp1024"<br> ikelifetime=28800<br> esp="3des-md5"<br> keylife=3600s<br> # Left security gateway, subnet behind it, next hop toward right.<br> leftprotoport="17/1814"<br> # Right security gateway, subnet behind it, next hop toward left.<br> right=X.Y.Z.52<br> rightsubnet=X.Y.Z.57/32<br> rightprotoport="17/1813"<br><br>conn cisco_NO_AUTH<br> also=common<br>
pfs=no<br> keyexchange=ike<br> ike="3des-sha-modp1024"<br> ikelifetime=28800<br> esp="3des-md5"<br> keylife=3600s<br> # Left security gateway, subnet behind it, next hop toward right.<br> leftprotoport="17/1812"<br> # Right security gateway, subnet behind it, next hop toward left.<br> right=X.Y.Z.52<br> rightsubnet=X.Y.Z.57/32<br> rightprotoport="17/0"<br><br>conn cisco_NO_ACCT<br> also=common<br>
pfs=no<br> keyexchange=ike<br> ike="3des-sha-modp1024"<br> ikelifetime=28800<br> esp="3des-md5"<br> keylife=3600s<br> # Left security gateway, subnet behind it, next hop toward right.<br> leftprotoport="17/1813"<br> # Right security gateway, subnet behind it, next hop toward left.<br> right=X.Y.Z.52<br> rightsubnet=X.Y.Z.57/32<br> rightprotoport="17/0"<br><br>conn cisco_ICMP<br> also=common<br>
pfs=no<br> keyexchange=ike<br> ike="3des-sha-modp1024"<br> ikelifetime=28800<br> esp="3des-md5"<br> keylife=3600s<br> # Left security gateway, subnet behind it, next hop toward right.<br> leftprotoport="1/0"<br> # Right security gateway, subnet behind it, next hop toward left.<br> right=X.Y.Z.52<br> rightsubnet=X.Y.Z.57/32<br> rightprotoport="1/0"<br><br><p> 
                <hr size="1">
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions !
Profitez des connaissances, des opinions et des expériences des internautes sur <a href="http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com">Yahoo! Questions/Réponses</a>.