[Openswan Users] what happens during /etc/init.d/ipsec stop ?

albert agusti aagusti at serialnet.net
Wed Dec 1 10:51:12 CET 2004

On Wed, 2004-12-01 at 00:50, Paul Wouters wrote:

> On Tue, 30 Nov 2004, Albert Agusti wrote:
> > I'm using openswan-2.2.0 (build from source) with last NAT-T patch on
> > kernel 2.6 family.
> the nat-t patch as supplied by us (or obtained by 'make nattpatch' is only
> for use with KLIPS, not for use of the 2.6 NETKEY stack.

I used a patch provided after asking for a rekey problem in this list
and the fact is that it solved the rekey problem perfectly

> > I've two Linux boxes behind a NAT DSL router acting as tunnel ends. One
> > is configured as initiator of the tunnel (auto=start) and the other as
> > responder (auto=add). The problem is that EVERY TIME one of the systems
> > (tunnel ends) reboots or issues stop/start of ipsec proces, the tunnel
> > negotiation blocks at Main mode in "no connection has been authorized"
> > and !! THE ONLY way I find to solve this is to stop ipsec at both ends,
> > start the responder and start the initiator !!
> If you stop one end, a Notify/Delete message is sent by that end. Do
> you receive that on the remote? Is it ignored?

It's received and the SA information is removed from the host. If I do a
ipsec auto --status, the perception of the Ipsec gateway is clean (no
ISAKMP SA or Ipsec SA are shown). The status of the route is in
"prospective erouted" and show eroute pointing to #n. Not sure if  this
is what should be.

> Can you try 2.3.0dr4 and see if the problem remains?

I'll do and I'll report to you, but do you thinking is possibly solved
because some modifications in sensible code have been done ?

> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041201/fc3ece5d/attachment.htm

More information about the Users mailing list