<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<title></title>
<meta http-equiv="content-type" content="text/html;charset=utf-8"/>
<meta http-equiv="Content-Style-Type" content="text/css"/>
</head>
<body>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
I am encountering a perplexing problem with my IPSec connection. I have 4 Bering uClibc
routers with openswan patches and configuration. Three of the routers are connected to the
central router in a hub and spoke configuration. The idea is to allow VPN access from the
LAN behind the spoke routers to the LAN behind the hub router. All the IPSEc
configurations are essentially the same on all the routers except for the IP addresses in
ipsec.conf (of course) and the X509 certificates. </span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
On one of the routers, the VPN drops after a while. Sometimes the period between drops is
a few hours and sometimes it is as much as 2 days. The only way to re-establish the VPN is
to restart IPSec on the spoke router. I managed to capture barf output (which was difficult
since this router is in production and the users have learned to just restart the router in order
to restart IPSec when things don't work). I found it interesting that when the ipsec0 link fails,
ipsec_tncfg shows that the MTU for the underlying physical interface (eth0) is 0, as well as
the effective MTU! You will also note that I have tried to limit the MTU using overridemtu to
1400 since I originally suspected MTU issues. </span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
The interesting thing is that users are reporting that they can still access the internet through
eth0 (e.g. they can still surf the web).</span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
I also noticed that when this happens, there is a large packet loss (> 20%) on the link
between the routers. </span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
So, my question is does anybody know what is going on? Could this be caused by dropped
packets in the network?</span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
Here is the extract from ipsec barf showing the tncfg output:</span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
+ _________________________ proc/net/ipsec_tncfg</span></font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
+ </span></font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
+ cat /proc/net/ipsec_tncfg</span></font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
ipsec0 -> NULL mtu=1400(0) -> 0</span></font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
ipsec1 -> NULL mtu=0(0) -> 0</span></font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
ipsec2 -> NULL mtu=0(0) -> 0</span></font>
</div>
<div align="left">
<font face="Courier New" size="2">
<span style=" font-size:10pt">
ipsec3 -> NULL mtu=0(0) -> 0</span></font>
</div>
<div align="left">
<font face="Arial" size="2">
<span style=" font-size:10pt">
<br />
</span>
</font>
</div>
<div align="left">
</div>
</body>
</html>