[Openswan Users] Openswan, Windows XP/2000 and disconects

Andrej Trobentar andrej.trobentar at rikom.si
Wed Nov 30 17:04:09 CET 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Paul Wouters wrote:
>
> I thought in scenario #2 you did not reconnect to the vpn?

Yes I have reconnected to VPN. First connected, then disconected
UNproperly, then connected again and at the end disconnected properly.

> 
>>I would expect this scenario to work :

Notice the word EXPECT. In real life this situation DOESN'T work.

> 
> [ you are allowed plaintext traffic to the vpn ]
> 
> 
>>- - connect to VPN

OK

> [ only crypted allowed now ]
> 
> 
>>- - disconnect pppoe (VPN disconnect "unproperly")

OK

> [ still the vpn only allows crypted from the ip you used
>  ]
> 
>>- - connect pppoe
> 
> 
> [ assuming you got the same ip, only crypted traffic allowed ]
> 

Yes, I got the SAME IP.

>>- - ping VPN server -> no reply
> 
> 
> [ which is why the plaintext ping fails ]

OK

>>- - connect to VPN
> 
> 
> [ this is the sneaky part. even though setting up the vpn starts
>   with unencrypted traffic, the vpn has a special policy that
>   allows only vpn negotiatin to take place even if it would only
>   expect/allow crypted traffic. This we call the 'udp 500/4500 hole'.
>   so while connecting, vpn traffic is allowed. on success (or failure)
>   only crypted traffic is allowed ]

OK

>>- - disconnect VPN properly
> 
> 
> [ plaintext traffic is allowed ]
> 
> 
>>- - ping VPN server -> got a replay
> 
> 
> So that should work. 

I thought so too, but it doesn't work. I don't get a reply although I
have disconnected properly from VPN the second time.

> One scenario where this might not work, is if the
> con server would use "auto=start"

I don't use "auto=start", I use "auto=add".

> You can look at 'ipsec eroute' on klips, or ip xfrm state and ip xfrm
> policy on netkey to see what will be allowed or not from your ip.
> 
> 
> That will be tricky. really your best bet is a seperate IP address for
> the VPN. All other ways will just be patch work.

I can't use any other IP or server, so I'm stuck with this :(

> Dead Peer Detection would work well here, in combination with
> dpdaction=clear, but unfortunately Windows does not support DPD.

I have figured this out in some previous posts :) Fcking Windows!!!

Any other ideas? I still think that, if I disconnect properly the second
time, the ping should/must work.


- --
Greetings from Slovenia,

	Andrej.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDjc15Vd/NU2yFfAoRAiUKAKCasoOIkM24hmm6n03Ew6fMgRuvtQCg0oqV
6PH8x9/Y0dAB7AzUiH+7J94=
=O9kq
-----END PGP SIGNATURE-----

More information about the Users mailing list