[Openswan Users] Ping through tunnel suddenly stops

Ken Bantoft ken at xelerance.com
Thu May 27 17:55:50 CEST 2004 

On Thu, 27 May 2004, Marek [iso-8859-2] Gre¹ko wrote:

> > I have a tunnel between two machines without a default route. After a
> > minute or two of successful pinging, tunnel stops and the following is
> > logged:
> >
> > ERROR: netlink response for Add SA ... included errno 17: File exists
> > max number of retransmissions (2) reached STATE_QUICK_R1
> >
> > ESP packets are still being sent by first gateway, but seem to be
> > dropped by the other. Last line of ipsec auto --status prints:
> >
> > 000 192.168.1.16/32:0 -1-> 192.168.1.17/32:0 => %hold 0    %acquire-netlink
> >
> > The problem only occurs when ipsec is first started. If I do "ipsec
> > restart", the problem disappears.
> >
> > Why does this happen? I've stumbled upon this while trying to create a
> > tunnel that would come up whenever the dial-out interface would come up.
> > Is there a better way to do it besides putting "ipsec start" to ip-up
> > script?
> 
> Hello,
> 
> I found this happens only when there is some traffic to oposite side before 
> starting tunnel.
> 
> Imagine situation. Let have to gateways S and D and network s and d behind 
> them. Let the machine sm be on the network s and dm on the network d.
> 
> If I run ping dm from sm and restart ipsec on S, tunnel stops working after 2 
> minutes. If I do not run ping and restart ipsec on S, everything is working 
> properly. Now you can ping dm from sm.
> 
> Is it a problem of linux native ipsec implementation?

AFAIK, Yes.  I've run into similar issues in my testing on Fedora Core 2 
box, with 2.6.5 + Openswan.

An established connection between host dm and sm will not get 'routed'
over the tunnel after the tunnel comes up - it will continue in the clear.  
It seems when the SA is established, the 2.6 Kernel implementation doesn't 
'take over' the traffic as you would expect.


> I have also proposal on how to workaround this, but I do not know the right 
> way. I want to disable forwarding to dm at S by firewall and enable after 
> pluto starts, but my script prepluto is never run or never deletes the 
> firewall rule. Is it a permission problem?

This is an ugly kludge/hack.  The proper fix is for the Kernel developers 
to fix 2.6 properly.



-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson

More information about the Users mailing list