[Openswan Users] NAT-T incorrect behaviours
Paul Wouters
paul at xelerance.com
Fri Oct 29 01:33:53 CEST 2004
On Fri, 29 Oct 2004, Albert Agusti wrote:
> In my scenario, the two ipsec gateways are behind nat DSL router. None
> of the routers is doing ipsec passthrough, but both forward incoming
> packets on the outbound interfaces directed to udp 500 and udp 4500 to
> the Linux ipsec gateway that is behind them.
>
> Linux1------DSL 1--------Internet-----------DSL 1------Linux2
>
> The idea is that any of the Linux ipsec sees remote end on valid IP
> address of remote DSL router.
>
> Both can act as Initiator or responder and it works. And now without
> rekey problems (Andreas Steffen patch)
>
> The problem arises when the side that initiated goes down and tries to
> reconnect. Remote (Responder) does not act as the first successfull
> attempt, and until ipsec is restarted at his side (ipsec) does not
> authorize the connection. (problem 2)
Okay, in that case, just enable Dead Peer Detection (DPD). Add to your
connection definition on both sides:
dpdannounce=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
> Is there a newer patch from Andreas ? or is the one that solved
> rekeying?
That's the one.
Paul
More information about the Users
mailing list