[Openswan Users] more info on my little war with NAT-T

Albert Agusti aagusti at serialnet.net
Tue Oct 26 22:07:33 CEST 2004


I've manually modified the file affected by the patch refered some
messages above. IT SEEMS TO WORK

I've patched the R (Responder) and now ISAKMP rekey works perfect when
tunnel gets initiated by remote end. I'm happy, very happy
after keylife expires, tunnel is still up and running.
I feel happy, very happy BUT :-(

Problem: If I simulate a reboot/crash/ipsec restart of the remote
(Initiator) side, the fuc... messages rise again saying fuc.. the same

So tunnel is no strong enough to support the remote (initiator) restart
But I can do down/up without problems as times I want.
Is this normal ? I supose isn't having to restart Tunnel server ipsec
when a client dies.

But for me is still unclear one thing about ipsec I/R rolls:

When you have two sides of a tunnel and you want to raise the secure
connection what is RECOMENDED ?

-Do "auto up" at both sides ?
-Decide who acts as a responder (server) and isue only "auto up" at
client (Intiatior) side ?

Which is the difference in the two cases and how does it affect ? I
suspect in second case there are two different tunnels, but are both
used ?


Thanks
Albert




More information about the Users mailing list