[Openswan Users] Does openswan gw need to reboot after creating vpn tunnel?

Paul Wouters paul at xelerance.com
Tue Sep 14 09:52:10 CEST 2004


On Tue, 14 Sep 2004, John Lai wrote:

> I am very surely the problem was on new subnet side(GW1), because
> tcpdump tell me all ESP packet enter the GW1 and no decrypt to LAN1 .

> I have used iptables LOG function to log forward chain and no thing else
> in there. It seems to be ate by kernel or openswan(klip).
>
> Every time when I create an new tunnel or change exist one with an new
> subnet(ex from 10.x.x.x/8 to 172.16.x.x/16),

Are you sure you are not just changing one side (while the tunnel is
established) and then run tcpdump to see the other one still sending
packets for the old configuration?

In short:

- Are you sure you are not just editing ipsec.conf without --delete and --add
   and --up the tunnel? On BOTH ends?

> I need to reboot openswan gw in new subnet side for new tunnel to take
> place.

So even restarting the ipsec subsystem fails for you? Again, it seems very
unlikely. You could run an 'ipsec barf' when you're stuck at the point
where you normally reboot.

>           No thing in this way<--------(FORWARD chain )---(INPUT chain
> dev eth0)<-----ESP(xxxx)--------------------------------iptables(OUTPUT
> chain dev eth0)-----(FORWARD chain)<----icmp echo request

> Packages :   RH 7.3 with 2.4.20 kernel with klip 2.1.5 patch,  Openswan
> 2.1.5

You do realise that the decrypted ESP packets come in on the ipsec0 device,
and not on the eth0 device? Sniffing just eth0 will give you only encrypted
packets, since you are using klips.

> I have tried re-attach ipsec tncfg

That's only needed on devices that can go away (eg ppp0)

Paul


More information about the Users mailing list