[Openswan Users] Persistant connections over openswan tunnel

Paul Wouters paul at xelerance.com
Wed Sep 28 17:05:53 CEST 2005


On Wed, 28 Sep 2005, Chris Picton wrote:

> I have two gateway servers running openvpn, with separate networks
> behind them being routed through the tunnel.  The server's do not have
> static IP addresses, and the IP can be changed (by my ISP) at any time.
> This causes the openvpn tunnel to drop and be re-established.
>
> The routing through the tunnel does not drop, however.  If I am
> connected from a client on network A via ssh to a machine on network B,
> when the server's IP changes, the connection hangs for a few seconds,
> but when the tunnel is brought back up, the connection continues - it
> does not drop.
>
> As far as I can tell, this is because the openvpn tun device does not go
> down, and it keeps the same ip range for the tunnel.
>
> Is this scenario possible with ipsec?

Yes, for two reasons
1) changing the gateway IP address on a subnet-subnet never influences that
    subnet-subnet connection. It is the equivalent of 'packet loss' when the
    tunnel re-establishes.
2) KLIPS does some packet caching, so effects from tunnels in %hold while
    they re-establish might be minimal, though this might not help in this
    scenario, since you need to 'ipsec auto --replace' then tunnels when
    the IP addresses of the endpoints changes.

Paul


More information about the Users mailing list