[Openswan Users] Ping through tunnel suddenly stops
Ken Bantoft
ken at xelerance.com
Thu May 27 17:55:50 CEST 2004
On Thu, 27 May 2004, Marek [iso-8859-2] Gre¹ko wrote:
> > I have a tunnel between two machines without a default route. After a
> > minute or two of successful pinging, tunnel stops and the following is
> > logged:
> >
> > ERROR: netlink response for Add SA ... included errno 17: File exists
> > max number of retransmissions (2) reached STATE_QUICK_R1
> >
> > ESP packets are still being sent by first gateway, but seem to be
> > dropped by the other. Last line of ipsec auto --status prints:
> >
> > 000 192.168.1.16/32:0 -1-> 192.168.1.17/32:0 => %hold 0 %acquire-netlink
> >
> > The problem only occurs when ipsec is first started. If I do "ipsec
> > restart", the problem disappears.
> >
> > Why does this happen? I've stumbled upon this while trying to create a
> > tunnel that would come up whenever the dial-out interface would come up.
> > Is there a better way to do it besides putting "ipsec start" to ip-up
> > script?
>
> Hello,
>
> I found this happens only when there is some traffic to oposite side before
> starting tunnel.
>
> Imagine situation. Let have to gateways S and D and network s and d behind
> them. Let the machine sm be on the network s and dm on the network d.
>
> If I run ping dm from sm and restart ipsec on S, tunnel stops working after 2
> minutes. If I do not run ping and restart ipsec on S, everything is working
> properly. Now you can ping dm from sm.
>
> Is it a problem of linux native ipsec implementation?
AFAIK, Yes. I've run into similar issues in my testing on Fedora Core 2
box, with 2.6.5 + Openswan.
An established connection between host dm and sm will not get 'routed'
over the tunnel after the tunnel comes up - it will continue in the clear.
It seems when the SA is established, the 2.6 Kernel implementation doesn't
'take over' the traffic as you would expect.
> I have also proposal on how to workaround this, but I do not know the right
> way. I want to disable forwarding to dm at S by firewall and enable after
> pluto starts, but my script prepluto is never run or never deletes the
> firewall rule. Is it a permission problem?
This is an ugly kludge/hack. The proper fix is for the Kernel developers
to fix 2.6 properly.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list