[Openswan Users] Openswan, Windows XP/2000 and disconects

Paul Wouters paul at xelerance.com
Tue Nov 29 21:37:06 CET 2005 

On Tue, 29 Nov 2005, Andrej Trobentar wrote:

[ I will leave the scenario intact for reference, answer is below ]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello all,
>
> Problem :
> After internet connection loss on an roadwarior client he can connect to
> the VPN server again, but can't ping the external IP of the VPN server
> if he hasn't established a VPN connection.
>
> Here's what I did on a Windows 2000 (all updates) machine connected
> directly to the internet (NO NAT) with ras-pppoe for Windows 2000 :
>
> 1. test
> - - connect to my ISP with ras-pppoe *OK*
> - - connect to my VPN server with l2tp under Windows *OK*
> - - ping to the internal network behind VPN server *OK*
> - - disconnect from VPN by clicking on the disconect button on Windows VPN
> icon *OK*
> - - ping the external IP of the VPN server and recieved a reply *OK*
> - - reconnect to my VPN server *OK*
>
> RESULT : everything OK
>
> - -----------------------------------------------------------------------
>
> 2. test
> - - connect to my ISP with ras-pppoe *OK*
> - - connect to my VPN server with l2tp under Windows *OK*
> - - ping to the internal network behind VPN server  *OK*
> - - disconnect my ISP connection by clicking on the disconnect button on
> Windows PPPoE icon -> after this the VPN icon disapeard as expected *OK*
> - - reconnect to my ISP with ras-pppoe *OK*
> - - ping the external IP of the VPN server and *didn't* received a reply
> *FAILED*
> - - reconnect to my VPN server with l2tp under Windows *OK*
> - - ping to the internal network behind VPN server *OK*
> - - disconnect from VPN by clicking on the disconect button on Windows VPN
> icon *OK*
> - - ping my external IP of the VPN server and didn't receive a reply
> *FAILED*
>
> RESULT : if you disconnect the pppoe connection you CAN reconnect to VPN
> server with l2tp under Windows, but CAN'T ping the VPN server if you're
> not connected to the VPN
>
> - -------------------------------------------------------------------------
>
> After you do a "ipsec auto --down roadwarior-l2tpd" on the VPN server
> you can ping the external IP of the VPN server again. Is this normal?

Unfortunately that is how IPsec works. It cannot allow plaintext packets
from a host it has a security association with. Any plaintext traffic has
to be dropped, since it could be spoofed.

Disconnecting properly is the only solution. You can also set a shorter
keylife to mitigate the problem. The openswan server will expire the
security association more quickly. But since it should be using rekey=no,
since it cannot initiate to the roadwarrior, even for rekeying, it does
need to trigger the Windows client into rekeying. I am not sure if this
would result in some brief connection disruption.

Though I don't think this should be much of a problem. You should not be
talking plaintext to your vpnserver if you have an IPsec/l2tp connection
defined for it.

Paul

More information about the Users mailing list