[Openswan dev] [Openswan Users] Unstable behavior with 2 tunnels connecting the same sites

Paul Wouters paul at xelerance.com
Wed Jul 14 12:10:42 EDT 2010


On Wed, 14 Jul 2010, Greg Scott wrote:

> Something unhealthy is going on with configs that have multiple tunnels connecting the same sites. 

> Every once-in-a-while, one or more of these tunnels decides to go out to lunch.  This is usually when there’s a telcom interruption.  IPSEC is
> supposed to hook both sites back up after the telecom comes back online, but this doesn’t always work here.  The only solution is to manually
> restart ipsec on one side or the other. 

> When the problem is happening, I see lots of messages coming into /var/log/secure.  Here is a sample:

> Jul 14 08:00:00 localhost pluto[23465]: initiate on demand from 175.10.0.1:8 to 175.9.1.35:0 proto=1 state: fos_start be

This is the netkey bug I posted about to dev at openswan.org yesterday. This bug appeared when David applied
some KLIPS rekey patches a month ago :(

We have not been able to address it. It is related to NETKEY sending an endless stream of %acquire messages.

The quick fix is to use KLIPS. If you don't need NAT-T, which it seems you don't, it should be a relatively
straightforward compile.

export KERNELSRC=/usr/src/kernels/linux-2.6.xxxx/
make module module_install

and set protostack=klips in ipsec.conf

Paul


More information about the Dev mailing list