[Openswan Users] Ping through tunnel suddenly stops

[Sybille Ebert]

Did anyone had any luck setting up a tunnel between two Fedora Core 2 
machines? After a month, I still can't figure out why does the tunnel 
stop working after some time.

I guess I am not the only one using a 2.6 kernel... or am I missing 
something?

S


>>I have a tunnel between two machines without a default route. After a 
>>minute or two of successful pinging, tunnel stops and the following is 
>>logged:
> 
> 
> Are you sure those first few pings are crypted? You cannot run tcpdump and 
> check from the sending machine because of the linux packet pie. Instead,
> run tcpdump on the receiving host (or better, use a hub and a third host)
> to double check.
> 
> 
>>ERROR: netlink response for Add SA ... included errno 17: File exists
>>max number of retransmissions (2) reached STATE_QUICK_R1
> 
> 
> It seems one side is trying to add an already existing tunnel into the kernel.
>  
> 
>>ESP packets are still being sent by first gateway, but seem to be 
>>dropped by the other. Last line of ipsec auto --status prints:
>>
>>000 192.168.1.16/32:0 -1-> 192.168.1.17/32:0 => %hold 0    %acquire-netlink
> 
> 
> I've never seen %acquire-netlink before. I assume this is a problem of pluto 
> trying to talk (via netlink) to the kernel.
>  
> 
>>The problem only occurs when ipsec is first started. If I do "ipsec 
>>restart", the problem disappears.
> 
> 
> Can you try to manually modprobing the af_key and esp4 modules before your first
> start and then start to see if the problem goes away. If it does, can you then
> edit _startklips and add a 'sleep 5' after modprobing those modules and see if
> that fixes your problem? The netlink and ipsec kernel modules might be taking a
> little bit of time to load or initiate, causing some messages to get lost, or at
> least pluto thinks they are lost, and tries to push thm into the netlink device
> again at a later time.
> 
> Paul