[Openswan Users] what happens during /etc/init.d/ipsec stop ?

Albert Agusti aagusti at serialnet.net
Tue Nov 30 22:53:31 CET 2004


Hello, 

I'm using openswan-2.2.0 (build from source) with last NAT-T patch on
kernel 2.6 family.

I'm trying to find the solution of a problem I reported some e-mails
above. It's critical to find a stable and clean solution, and for the
moment I've to conform with workarounds. I'm able to send you any log
you need, but I don't paste info here for simple reading of the problem.

I've two Linux boxes behind a NAT DSL router acting as tunnel ends. One
is configured as initiator of the tunnel (auto=start) and the other as
responder (auto=add). The problem is that EVERY TIME one of the systems
(tunnel ends) reboots or issues stop/start of ipsec proces, the tunnel
negotiation blocks at Main mode in "no connection has been authorized"
and !! THE ONLY way I find to solve this is to stop ipsec at both ends,
start the responder and start the initiator !!

DPD DOES NOT solve the situation. It works PERFECT when tunnel peers
lost the connection (for example network is down) and recovers later,
but no effect if an stop is issued at one of the ends.

I'm sure that the root of the problem is the position of the openswan
behind NAT. Something with mappings table ? or payloads ? 
The fact is that only works once (the first time). Something remains
there or is removed when ipsec stop that kills NAT-T. It's CRITICAL for
me to solve this behaviour but I can't deal with pluto code. What
happens in ipsec stop ?
Do you think any patch released could affect or solve this as a
secondary effect ?


Thanks in advance
Albert Agustí



More information about the Users mailing list