[Openswan Users] ipsec vpn fallback

Ming-Ching Tiew mingching.tiew at redtone.com
Fri Jun 3 12:26:46 CEST 2005

From: "Ming-Ching Tiew" <mingching.tiew at redtone.com>

> I don't get much error, enough though I change klipdebug=all,
> #ipsec auto --down link1
> #ipsec auto --up link2
> 104 "link2" #3: STATE_MAIN_I1: initiate
> 010 "link2" #3: STATE_MAIN_I1: retransmission; will wait 20s for response
> 010 "link2" #3: STATE_MAIN_I1: retransmission; will wait 40s for response
> It just goes on and on, it will never complete the negotiation. If I did what I mentioned
> ( ie change the interfaces so the that ipsec0=ethx, where ethx = the active link ),
> the vpn will be setup very quickly but the 'ipsec setup restart' is very slow, it is not
> ideal either.

OK my problem is fixed. The reason was that, since I have two internet links,  
the IKE negotiation could be sent via the wrong interface, and thereby unable
to complete negotiation.

What I did is then to force the UDP port 500 IKE to go through the "surviving"
network interface card, the IKE negotiation will complete very quickly.

Thank you for your attention, now I have now a fully redundant IPSEC VPN
which is capable of automatic failover, and I don't have to restart ipsec to do this.


More information about the Users mailing list