[Openswan Users] Ping through tunnel suddenly stops
MarekGreško
gresko at thr.sk
Fri May 28 18:02:32 CEST 2004
> Greetings.
>
> I have a tunnel between two machines without a default route. After a
> minute or two of successful pinging, tunnel stops and the following is
> logged:
>
> ERROR: netlink response for Add SA ... included errno 17: File exists
> max number of retransmissions (2) reached STATE_QUICK_R1
>
> ESP packets are still being sent by first gateway, but seem to be
> dropped by the other. Last line of ipsec auto --status prints:
>
> 000 192.168.1.16/32:0 -1-> 192.168.1.17/32:0 => %hold 0 %acquire-netlink
>
> The problem only occurs when ipsec is first started. If I do "ipsec
> restart", the problem disappears.
>
> Why does this happen? I've stumbled upon this while trying to create a
> tunnel that would come up whenever the dial-out interface would come up.
> Is there a better way to do it besides putting "ipsec start" to ip-up
> script?
The cause I have described before.
As a workaround for you could be this:
Use firewall to DNAT adresses behind the tunnel to some intranet adress space
not used locally nor behind the tunnel. The packet going behind the tunnel
will cause the dial-out. The up-client portion of _updown script will then
delete the DNAT for that adresses. The first packet will get lost and the
second retry will go behind the tunnel. You should also enable DNAT in the
down-client portion of _updown script.
Marek
--
Marek Greško
THR Systems, a. s.
More information about the Users
mailing list