[Openswan Users] Openswan, Windows XP/2000 and disconects

Paul Wouters paul at xelerance.com
Wed Nov 30 16:35:04 CET 2005


On Wed, 30 Nov 2005, Andrej Trobentar wrote:

> Well, you see, in test #2 I have first disconnected "unproperly", but
> the next time I reconnected, I disconnected "properly"! And I still
> counldn't ping the host. So your statement here isn't true. Or am I wrong?

I thought in scenario #2 you did not reconnect to the vpn?

> I would expect this scenario to work :

[ you are allowed plaintext traffic to the vpn ]

> - - connect to VPN

[ only crypted allowed now ]

> - - disconnect pppoe (VPN disconnect "unproperly")

[ still the vpn only allows crypted from the ip you used
 ]
> - - connect pppoe

[ assuming you got the same ip, only crypted traffic allowed ]

> - - ping VPN server -> no reply

[ which is why the plaintext ping fails ]

> - - connect to VPN

[ this is the sneaky part. even though setting up the vpn starts
  with unencrypted traffic, the vpn has a special policy that
  allows only vpn negotiatin to take place even if it would only
  expect/allow crypted traffic. This we call the 'udp 500/4500 hole'.
  so while connecting, vpn traffic is allowed. on success (or failure)
  only crypted traffic is allowed ]

> - - disconnect VPN properly

[ plaintext traffic is allowed ]

> - - ping VPN server -> got a replay

So that should work. One scenario where this might not work, is if the
con server would use "auto=start" since that would mean it immediately
initiates the connection again, which if you do not reply, causes it
to block unencrypted traffic until the vpn is back up.

You can look at 'ipsec eroute' on klips, or ip xfrm state and ip xfrm
policy on netkey to see what will be allowed or not from your ip.

> This VPN server is an imaps, http, smtp, ssh server too, so I must be
> able to connect to it even if I'm not in VPN.

That will be tricky. really your best bet is a seperate IP address for
the VPN. All other ways will just be patch work. Try setting a short
keylife=. Dead Peer Detection would work well here, in combination with
dpdaction=clear, but unfortunately Windows does not support DPD.

Paul


More information about the Users mailing list