[Openswan Users] Ping through tunnel suddenly stops

[MarekGreško]

> I have a tunnel between two machines without a default route. After a
> minute or two of successful pinging, tunnel stops and the following is
> logged:
>
> ERROR: netlink response for Add SA ... included errno 17: File exists
> max number of retransmissions (2) reached STATE_QUICK_R1
>
> ESP packets are still being sent by first gateway, but seem to be
> dropped by the other. Last line of ipsec auto --status prints:
>
> 000 192.168.1.16/32:0 -1-> 192.168.1.17/32:0 => %hold 0    %acquire-netlink
>
> The problem only occurs when ipsec is first started. If I do "ipsec
> restart", the problem disappears.
>
> Why does this happen? I've stumbled upon this while trying to create a
> tunnel that would come up whenever the dial-out interface would come up.
> Is there a better way to do it besides putting "ipsec start" to ip-up
> script?

Hello,

I found this happens only when there is some traffic to oposite side before 
starting tunnel.

Imagine situation. Let have to gateways S and D and network s and d behind 
them. Let the machine sm be on the network s and dm on the network d.

If I run ping dm from sm and restart ipsec on S, tunnel stops working after 2 
minutes. If I do not run ping and restart ipsec on S, everything is working 
properly. Now you can ping dm from sm.

Is it a problem of linux native ipsec implementation?

I have also proposal on how to workaround this, but I do not know the right 
way. I want to disable forwarding to dm at S by firewall and enable after 
pluto starts, but my script prepluto is never run or never deletes the 
firewall rule. Is it a permission problem?

Thanks

Marek