[Openswan Users] vpn connection after internet reconnect

Axel Thimm Axel.Thimm at ATrpms.net
Sat Nov 25 09:21:55 EST 2006


On Sun, Jan 15, 2006 at 11:51:54PM +0100, Paul Wouters wrote:
> On Sun, 15 Jan 2006, Andreas Lüdtke wrote:
> > My internet provider is dropping my dsl line every 24 hours. After such a dsl reconnect,
> > the vpn connection can only be re-established by stopping/starting Openswan.
> > These are the error messages I get:
> >
> > Jan 15 05:57:16 (none) kern.warn pluto[6220]: "COMPANY" #25: ISAKMP SA expired (LATEST!)
> > Jan 15 05:59:10 (none) kern.warn pluto[6220]: "COMPANY" #26: max number of retransmissions
> > (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
> > message
> > Jan 15 05:59:10 (none) kern.warn pluto[6220]: "COMPANY" #26: starting keying attempt 2 of
> > an unlimited number
> > Jan 15 05:59:10 (none) kern.warn pluto[6220]: "COMPANY" #27: initiating Main Mode to
> > replace #26
> >
> > I help myself in running a cron job that will stop ipsec before the dsl line disconnects,
> > and that start ipsec after the dsl is back online.
> >
> > Is there a better way of doing this (without stopping/starting ipsec)?
> Use a custom _updown script using leftupdown=/path/to/your/script
> See /usr/lib/ipsec/_updown as a reference to build on.

What if the firewall connecting to DSL and the endpoint of the ipsec
connection are not the same (and therfore there is no triggering event
from pppoe to reconnect)? I currently connect with a host within the
network and when the firewall changes its IP (due to DSL reconnect),
the internal host never reconnects w/o manually restaring ipsec. Until
I find out all TCP connections through ipsec have timed out and have
been torn down :(

Is there a way to force reconnects when there is a given timeout? Or
should I better move the ipsec endpoint to the firewall, so that I
have a triggering event to reconnect? I'd prefer to keep it on the
roadwarrier laptop, though.

Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061125/cda815c7/attachment.bin 

More information about the Users mailing list