[Openswan Users] vpn connection after internet reconnect

Axel Thimm Axel.Thimm at ATrpms.net
Sat Nov 25 11:52:45 EST 2006

On Sat, Nov 25, 2006 at 05:23:09PM +0100, Paul Wouters wrote:
> On Sat, 25 Nov 2006, Axel Thimm wrote:
> > What if the firewall connecting to DSL and the endpoint of the ipsec
> > connection are not the same (and therfore there is no triggering event
> > from pppoe to reconnect)? I currently connect with a host within the
> > network and when the firewall changes its IP (due to DSL reconnect),
> > the internal host never reconnects w/o manually restaring ipsec. Until
> > I find out all TCP connections through ipsec have timed out and have
> > been torn down :(
> >
> > Is there a way to force reconnects when there is a given timeout? Or
> If both ends support it, you can enable Dead Peer Detection. It will
> cause the tunnel to recover faster.

I'll try that, I thought that was already enabled (by the comments on
the manpage the values for dpddelay/dpdtimeout already have non-zero
default). But I should change dpdaction to clear and perhaps lower the
dpdtimeout, or are 120+ seconds OK for keeping up the TCP connections
over that tunnel?

> But if your IP changes, then currently you will need to reload your
> connection. You can do this using a custom updown script using
> leftupdown=/some/script.sh

The IP of the laptop does not change, the IP of the natting firewall
in front of it does.

> > should I better move the ipsec endpoint to the firewall, so that I
> > have a triggering event to reconnect? I'd prefer to keep it on the
> > roadwarrier laptop, though.
> I am not sure if I understand your setup. You can have an ipsec
> endpoint on your firewall, your laptop, or both.

It's like

=======================     =========================================
|laptop|-----| nat box (dynamic dsl IP)|--- Outside
=======================     =========================================

The changing IP is the one of the nat box, e.g. the right hand side
sees the natted packages suddenly coming from another IP. The laptop
never registers that the natting IP has changed.
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061125/27100acf/attachment.bin 

More information about the Users mailing list