[Openswan Users] IPsec + (GRE/BGP) undetermined routing issues

[Kevin Clark]

Hey all,

I have a question regarding the stability of Openswan 2.3.1, although
just a surface question at this time.  We are currently using Openswan
as the IPsec transport between remote offices, using GRE+BGP inside to
route multiple networks (thanks Paul! ;D).  There appears to be a
scenario where *sometimes*, during the rekey process ... "something"
goes awry, and by this I mean that traffic traversing the tunnel stops
functioning even though everything seems to be established properly.

Without pasting a full debug log to this list (I've scoured it for hours
and hours, finding nothing out of the ordinary that I can identify--both
phase 1 and phase 2 function properly and establish their respective
SAs, it just sometimes.. it stops allowing traffic through), I was
wondering if this is a known issue that has occurred for anyone else in
the past?

If not, I will proceed to gather up all the various data I have from my
latest tunnel failure and proceed to bug everyone some more.

The strange thing is that if I change the keylife to 600 and the
rekeyfuzz to 10% (essentially creating a phase 2 SA every 60s), the
problem seems to resolve itself once the next SA is brought up.  (wtf?!)

In a production environment, I'm sure you can understand that having
this type of configuration isn't exactly desired.  

So anyway yeah, this is just a poke to the list to see if anyone has
seen this behavior before.  :)

Thanks in advance,

K