<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Problems still persist - if I lose the other node, restart_by_peer
doesn't take down the policies so I still have the DNS problem I'm
trying to avoid. The tunnel does come up, though. Still, the reason
the DNS problem is a big one is that if it gets "locked" (because of
the presence of the policies but the absence of the tunnel) then
general internet access will also be affected b/c the DNS is unable to
resolve names.<br>
<br>
I'll try restart, though I don't expect there to be an improvement.
Hopefully, I'm wrong about that!<br>
<br>
Any tips?<br>
<br>
David McCullough wrote:
<blockquote cite="mid:20091007231256.GA9796@securecomputing.com"
type="cite">
<pre wrap="">Jivin Diego Rivera lays it down ...
</pre>
<blockquote type="cite">
<pre wrap="">Ok... so what you're saying is that restart_by_peer should have done the job, then? If so - then can you shed some more light into what the potential source of the problem is?
</pre>
</blockquote>
<pre wrap=""><!---->
The most likely cause is version 2.6.22, I have included the changelog
below from 2.6.22 to 2.6.23, there were quite a few "tunnels won't
come up/restart" bugs fixed.
It would be best if you can try 2.6.23 so that any problems you see are
new ones ;-)
Cheers,
Davidm
* Support for dropping unneeded capabilities using libcap-ng [Avesh]
(Changed using USE_LIBCAP_NG= in Makefile.inc)
* Additional ASN.1 parser checks by David McCullough [David]
* PSK support with USE_LIBNSS [Avesh Agarwal]
* Allow multiple different PSK road warriors with Aggressive Mode [David]
* Additional KLIPS debugging can be enabled in /proc/net/ipsec_saraw [David]
* Extended fipschecks [Avesh Agarwal]
* auto=route tunnels could fail due to an Opportunstic Encryption bug [David]
* passthrough routes on NETKEY where missing a a policy [Michael H. Warfield]
* The init script was mistakenly installed twice, once as 'setup' [Paul/Harald]
* LSB compliance error in initscript (debian bug#537335) [Petter Reinholdtsen]
* Fix for old style nat-t patch on newstyle 2.6.23+ kernel [Paul]
* ipsec verify now returns non-zero when an error is encountered [Paul]
* Fix for ipsec whack --crash <IP> crasher [David]
* Partial fix for #1004. We no longer drop the port from protoport= [dhr/Paul]
transport mode L2TP now works again for the non-NAT'ed case
* Fix for size (XXX) differs from size specified in ISAKMP HDR (YYY) [David]
* Removed old USE_SMARTCARD code. Smartcards are now supported via NSS [Paul]
(not all code was properly #ifdef'ed, so a few changes outside #ifdef
SMARTCARD were needed)
* Prevent aggressive mode tunnels losing phase2 [David]
* Various fixes to eroutes [David]
* Bugtracker bugs fixed:
#1044: openswan.spec file builds an RPM that is missing lwdnsq [Joe Steele]
</pre>
<blockquote type="cite">
<pre wrap="">Cheers.
Paul Wouters wrote:
On Wed, 7 Oct 2009, Diego Rivera wrote:
I was using restart_by_peer but from what Paul says, that option means wait for the other side to
re-establish the tunnel. Thus, nobody tries to re-establish (since both sides are configured identically,
for easy maintenance).
I was wrong. David was right :)
Paul
--
Diego Rivera
Director / System Operations
Roundbox Global : enterprise : technology : genius
------------------------------------------------------------------------------------------------------------------
Avenida 11 y Calle 7-9, Barrio Am??n, San Jos??, Costa Rica
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695
email: <a class="moz-txt-link-abbreviated" href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a> | <a class="moz-txt-link-abbreviated" href="http://www.rbxglobal.com">www.rbxglobal.com</a>
------------------------------------------------------------------------------------------------------------------
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
<blockquote type="cite">
<pre wrap="">Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enigAA960B031FE487E074E8895C"
--------------enigAA960B031FE487E074E8895C
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content=3D"text/html;charset=3DISO-8859-1" http-equiv=3D"Content-=
Type">
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
Ok... so what you're saying is that restart_by_peer should have done
the job, then?&nbsp; If so - then can you shed some more light into what =
the
potential source of the problem is?<br>
<br>
Cheers.<br>
<br>
Paul Wouters wrote:
<blockquote
cite=3D<a class="moz-txt-link-rfc2396E" href="mailto:mid:alpine.LFD.1.10.0910071852200.12140@newtla.xelerance.com">"mid:alpine.LFD.1.10.0910071852200.12140@newtla.xelerance.com"</a>
type=3D"cite">On Wed, 7 Oct 2009, Diego Rivera wrote:
<br>
<br>
<blockquote type=3D"cite">I was using restart_by_peer but from what
Paul says, that option means wait for the other side to
<br>
re-establish the tunnel.&nbsp; Thus, nobody tries to re-establish (since
both sides are configured identically,
<br>
for easy maintenance).
<br>
</blockquote>
<br>
I was wrong. David was right :)
<br>
<br>
Paul
<br>
</blockquote>
<br>
<div class=3D"moz-signature">-- <br>
<style type=3D"text/css">
p { margin: 0; }
</style>
<div style=3D"font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">=
<font size=3D"1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style=3D"font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
-------------------------------------------------------------------------=
-----------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Am&oacute;n, San Jos&eacute;, Costa Rica<b=
r>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a href=3D<a class="moz-txt-link-rfc2396E" href="mailto:diego.rivera@rbxglobal.com">"mailto:diego.rivera@rbxglobal.com"</a>>diego.rivera@rbxglob=
al.com</a>
| <a href=3D<a class="moz-txt-link-rfc2396E" href="http://www.rbxglobal.com">"http://www.rbxglobal.com"</a>><a class="moz-txt-link-abbreviated" href="http://www.rbxglobal.com">www.rbxglobal.com</a></a><br>
-------------------------------------------------------------------------=
-----------------------------------------<br>
</font> </div>
</div>
</body>
</html>
--------------enigAA960B031FE487E074E8895C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
Comment: Using GnuPG with Mozilla - <a class="moz-txt-link-freetext" href="http://enigmail.mozdev.org/">http://enigmail.mozdev.org/</a>
iEYEARECAAYFAkrNHG4ACgkQCNJ6MS9YngWAMwCbBt8lUPHDUZ0guPfnCDf6ZLjH
/UwAni4UumFFXJ/U6iIuNtvzxnGCzjnZ
=YpwI
-----END PGP SIGNATURE-----
--------------enigAA960B031FE487E074E8895C--
</pre>
</blockquote>
<pre wrap=""><!---->
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<style type="text/css">
p { margin: 0; }
</style>
<div style="font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">
<font size="1"> Diego Rivera<br>
Director / System Operations<br>
Roundbox Global : <span
style="font-style: italic; color: rgb(102, 102, 102);">enterprise :
technology : genius</span><br>
------------------------------------------------------------------------------------------------------------------<br>
Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<br>
tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
2258-3695<br>
email: <a href="mailto:diego.rivera@rbxglobal.com">diego.rivera@rbxglobal.com</a>
| <a href="http://www.rbxglobal.com">www.rbxglobal.com</a><br>
------------------------------------------------------------------------------------------------------------------<br>
</font> </div>
</div>
</body>
</html>