[Openswan Users] IPsec + (GRE/BGP) undetermined routing issues
Ted Kaczmarek
tedkaz at optonline.net
Thu Aug 18 10:03:08 CEST 2005
On Wed, 2005-08-17 at 18:28 -0400, Kevin Clark wrote:
> Hey all,
>
> I have a question regarding the stability of Openswan 2.3.1, although
> just a surface question at this time. We are currently using Openswan
> as the IPsec transport between remote offices, using GRE+BGP inside to
> route multiple networks (thanks Paul! ;D). There appears to be a
> scenario where *sometimes*, during the rekey process ... "something"
> goes awry, and by this I mean that traffic traversing the tunnel stops
> functioning even though everything seems to be established properly.
>
> Without pasting a full debug log to this list (I've scoured it for hours
> and hours, finding nothing out of the ordinary that I can identify--both
> phase 1 and phase 2 function properly and establish their respective
> SAs, it just sometimes.. it stops allowing traffic through), I was
> wondering if this is a known issue that has occurred for anyone else in
> the past?
>
> If not, I will proceed to gather up all the various data I have from my
> latest tunnel failure and proceed to bug everyone some more.
>
> The strange thing is that if I change the keylife to 600 and the
> rekeyfuzz to 10% (essentially creating a phase 2 SA every 60s), the
> problem seems to resolve itself once the next SA is brought up. (wtf?!)
>
> In a production environment, I'm sure you can understand that having
> this type of configuration isn't exactly desired.
>
> So anyway yeah, this is just a poke to the list to see if anyone has
> seen this behavior before. :)
>
> Thanks in advance,
>
> K
>
I had a test setup doing the same exact thing without the bgp peering
between a pair of Centos 4.1 boxes using 2.3.1 and it was solid for 5
days without a hiccup. Not too many flows, the traffic was mostly and
OpenNMS box polling a few services and the daily scans and some ssh
packets.
Also have 2.3.1 Centos 4 going to an 2.1.5 FC1 that has been rock solid
from the day I set it up.
Ted
Ted
More information about the Users
mailing list