[Openswan Users] VPN always up, but one way after a while

Gavin Henry ghenry at suretecsystems.com
Mon Nov 20 18:05:37 EST 2006 

Hi All,

Just quick one to try and confirm where I should be looking.

VPN is fine from a remote public IP into our network.

Public IP -- Gateway for that IP -- Internet -- Vigor 2600 -- Private Lan

Vigor 2600 and Openswan 2.4.7.

Traffic passes fine from the public machine into the private lan all the
time. The VPN is always up, but after a while you can't ping or get to
anything on the public ip machine, but the public ip machine can always
get to anything inside the private lan.

I tend to think this is a Vigor issue, as a VPN restart makes everything
work again. Could this be re-keying issues? Or fixing the settings in the
below "ipsec verify"?

"ipsec verfiy" on the public machine:

ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.9-42.0.2.ELsmp (netkey)
Checking for IPsec support in kernel                            [OK]
Testing against enforced SElinux mode                           [OK]
Hardware RNG detected, testing if used properly                 [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [DISABLED]
  ipsec showhostkey: no default key in "/etc/ipsec.secrets"
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


ipsec.conf:

version 2.0

config setup
        plutodebug="control"
        nhelpers=0

conn net-to-lan
        auto=start
        authby=secret
        keyexchange=ike
        auth=esp
        compress=no
        left=86.xx.xx.xx
        leftnexthop=%defaultroute
        right=217.xx.xx.xx
        rightsubnet=192.168.xx.xx/24
        rightnexthop=%defaultroute

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

Thanks,

Gavin.

More information about the Users mailing list