[Openswan Users] IPsec + (GRE/BGP) undetermined routing issues

Kevin Clark kevin.clark at ubisoft.com
Thu Aug 18 14:48:18 CEST 2005 

That definitely seems to be very similar to what I see, although the
only difference on my end is that the IPsec connection is utilized
constantly.  

Just before writing this email we experienced the issue again.  For us,
the easiest way to restore connectivity is to --down the connection on
one side and let the other side reestablish.  

A quick view of the --status output before and after the problem was
corrected shows a lack of a STATE_MAIN_R3 (sent MR3, ISAKMP SA
established) entry for that specific connection, although I don't know
if this is irregular or not.

It does appear that in the log, Pluto is sent a delete SA request, and
then proceeds to delete each SA entry sequentially.  Then the log shows
a re-establishment of the IPsec SAs and everything looks fine.

... Except of course, no traffic is passing through :(

This doesn't make a ton of sense to me, what would cause the tunnel to
establish properly without bitching, but not allow traffic to pass
through?--while another rekey attempt solves said issue.

It makes me sad, I want my mommy.

K



-----Original Message-----
From: Ferdinand O. Tempel [mailto:ftempel at linuxops.net] 
Sent: Thursday, August 18, 2005 1:19 PM
To: Kevin Clark
Cc: users at openswan.org
Subject: Re: [Openswan Users] IPsec + (GRE/BGP) undetermined routing
issues

On Wed, 2005-08-17 at 21:28, Kevin Clark wrote:
> Hey all,
> 
> I have a question regarding the stability of Openswan 2.3.1, although
> just a surface question at this time.  We are currently using Openswan
> as the IPsec transport between remote offices, using GRE+BGP inside to
> route multiple networks (thanks Paul! ;D).  There appears to be a
> scenario where *sometimes*, during the rekey process ... "something"
> goes awry, and by this I mean that traffic traversing the tunnel stops
> functioning even though everything seems to be established properly.

Does it look anything like the following bugreport:
http://bugs.xelerance.com/view.php?id=264

If so, then yes, I've seen it too. Which reminds me to give feedback on
it. Sorry to be so inresponsive, guys.

Nice setup you have there. I know, we use it too :)

Regards,

Ferdinand O. Tempel

More information about the Users mailing list