[Openswan Users] Does openswan gw need to reboot after creating vpn tunnel?

John Lai john_lai at ezhi.com
Tue Sep 14 11:57:14 CEST 2004

Hi Paul & everybody:


I am very surely the problem was on new subnet side(GW1), because
tcpdump tell me all ESP packet enter the GW1 and no decrypt to LAN1 . 

I have used iptables LOG function to log forward chain and no thing else
in there. It seems to be ate by kernel or openswan(klip).

Every time when I create an new tunnel or change exist one with an new
subnet(ex from 10.x.x.x/8 to 172.16.x.x/16), 

I need to reboot openswan gw in new subnet side for new tunnel to take


Scenario 1(Ping from F to A):


           No thing in this way<--------(FORWARD chain )---(INPUT chain
dev eth0)<-----ESP(xxxx)--------------------------------iptables(OUTPUT
chain dev eth0)-----(FORWARD chain)<----icmp echo request


My situation is as following:

                                                     Hostname: host101
hostname: host103

LAN 1  (10.x.x.x/8)------( GW 1( ----
( ---- (
GW2( 2 (192.168.50.x/24)

LeftSubnet                               Left
Nexthop                          Nexthop                           Right

Point    A                                               B
C                                        D                             E

Packages :   RH 7.3 with 2.4.20 kernel with klip 2.1.5 patch,  Openswan



I have checked the routing table(ipsecX route has be added), ipsec
eroute table, ipsec look, ipsec tncfg list and ipsec whack -status. Then
I don't decover any illegal status.

I have tried re-attach ipsec tncfg and no thing else changed escept
reboot the machine. Maybe system hold some cache(like routing or klip
info) and need to wait for rebooting to clear, 

but I am not surely. Does everbody have any suggestion to this strange
situation? Any opinion are very welcome, 3q.




On Mon, 13 Sep 2004, John Lai wrote:


> After finished all check, I reboot GW1 and GW2 , and then ping is 

> success. It is so strange, why openswan(freeswan) need to reboot after

> creating an new tunnel,


> especially new subnet.  Does anybody have problem like me ? Do you 

> have any solution to prevent requirement  of reboot? 3q ahead.


You should never need to reboor. Perhaps the problem was on the other
end which you also rebooted?


Openswan never needs a reboot for anything. At most you might need to
restart the service, when you change some setup or default tunnel




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20040914/9c6db286/attachment.htm

More information about the Users mailing list