[Openswan Users] IPsec + (GRE/BGP) undetermined routing issues

[Ted Kaczmarek]

On Wed, 2005-08-17 at 18:28 -0400, Kevin Clark wrote:
> Hey all,
> 
> I have a question regarding the stability of Openswan 2.3.1, although
> just a surface question at this time.  We are currently using Openswan
> as the IPsec transport between remote offices, using GRE+BGP inside to
> route multiple networks (thanks Paul! ;D).  There appears to be a
> scenario where *sometimes*, during the rekey process ... "something"
> goes awry, and by this I mean that traffic traversing the tunnel stops
> functioning even though everything seems to be established properly.
> 
> Without pasting a full debug log to this list (I've scoured it for hours
> and hours, finding nothing out of the ordinary that I can identify--both
> phase 1 and phase 2 function properly and establish their respective
> SAs, it just sometimes.. it stops allowing traffic through), I was
> wondering if this is a known issue that has occurred for anyone else in
> the past?
> 
> If not, I will proceed to gather up all the various data I have from my
> latest tunnel failure and proceed to bug everyone some more.
> 
> The strange thing is that if I change the keylife to 600 and the
> rekeyfuzz to 10% (essentially creating a phase 2 SA every 60s), the
> problem seems to resolve itself once the next SA is brought up.  (wtf?!)
> 
> In a production environment, I'm sure you can understand that having
> this type of configuration isn't exactly desired.  
> 
> So anyway yeah, this is just a poke to the list to see if anyone has
> seen this behavior before.  :)
> 
> Thanks in advance,
> 
> K
> 
I had a test setup doing the same exact thing without the bgp peering
between a pair of Centos 4.1 boxes using 2.3.1 and it was solid for 5
days without a hiccup. Not too many flows, the traffic was mostly and
OpenNMS box polling a few services and the daily scans and some ssh
packets.

Also have 2.3.1 Centos 4 going to an 2.1.5 FC1  that has been rock solid
from the day I set it up.

Ted

Ted