[Openswan Users] IPsec + (GRE/BGP) undetermined routing issues
Kevin Clark
kevin.clark at ubisoft.com
Wed Aug 17 19:28:25 CEST 2005
Hey all,
I have a question regarding the stability of Openswan 2.3.1, although
just a surface question at this time. We are currently using Openswan
as the IPsec transport between remote offices, using GRE+BGP inside to
route multiple networks (thanks Paul! ;D). There appears to be a
scenario where *sometimes*, during the rekey process ... "something"
goes awry, and by this I mean that traffic traversing the tunnel stops
functioning even though everything seems to be established properly.
Without pasting a full debug log to this list (I've scoured it for hours
and hours, finding nothing out of the ordinary that I can identify--both
phase 1 and phase 2 function properly and establish their respective
SAs, it just sometimes.. it stops allowing traffic through), I was
wondering if this is a known issue that has occurred for anyone else in
the past?
If not, I will proceed to gather up all the various data I have from my
latest tunnel failure and proceed to bug everyone some more.
The strange thing is that if I change the keylife to 600 and the
rekeyfuzz to 10% (essentially creating a phase 2 SA every 60s), the
problem seems to resolve itself once the next SA is brought up. (wtf?!)
In a production environment, I'm sure you can understand that having
this type of configuration isn't exactly desired.
So anyway yeah, this is just a poke to the list to see if anyone has
seen this behavior before. :)
Thanks in advance,
K
More information about the Users
mailing list