[Openswan Users] Virtual interfaces

[Lionel Cottin]

Dear OpenSwan gurus,

I'm currently having issues with OpenSWAN on RHEL3 using RH IPSEC stack.
My setup is quite as follow:

I run 2 servers configured as 1 HA cluster using hearbeat (active/passive).
Openswan is configured to bind on eth0:0 which the virtual managed by heartbeat.
Both the virtual and the underlying physical interfaces are on the same subnet.
Each "IPSEC Client" has 2 connections defined: one in tunnel and the other one
in transport mode.

This setup worked like charm using RH7.3 based VPN routers and super freeswan
1.99 . However and since I migrated them to RHEL3/Openswan2.3.1 a few day ago,
IPSEC is often "not" crashing but in a really bad state; I have to manually
restart some connection very often.

>From what I've seen till now, it seems that the error comes from pluto not being
able to properly handle virtual IPs like eth0:0.

When starting IPSEC connections I get error messages like:
"XXXX": unroute-host output: /usr/lib/ipsec/_updown: doroute `ip route delete
x.x.x.x/32 via x.x.x.x dev eth0:0 ' failed (Cannot find device "eth0:0")

And when manualy restarting the connections I get:
# ipsec auto --down XX
003 "XX" #22: ERROR: netlink response for Del SA esp.xxxxxxxx at local_IP included
errno 3: No such process
where local_IP is the virtual IP

I hope this is only a few lines of shell code to change in
/usr/lib/ipsec/_updown but before doing so I'd like to know if some of you went
into the same issues before and if there's not something else to change
somewhere else.

Thanks,
Lionel

--
Lionel Cottin
mailto:cottin at free.fr