[Openswan Users] vpn connection after internet reconnect

Axel Thimm Axel.Thimm at ATrpms.net
Sat Nov 25 12:32:54 EST 2006 

On Sat, Nov 25, 2006 at 05:52:45PM +0100, Axel Thimm wrote:
> On Sat, Nov 25, 2006 at 05:23:09PM +0100, Paul Wouters wrote:
> > On Sat, 25 Nov 2006, Axel Thimm wrote:
> > 
> > > What if the firewall connecting to DSL and the endpoint of the ipsec
> > > connection are not the same (and therfore there is no triggering event
> > > from pppoe to reconnect)? I currently connect with a host within the
> > > network and when the firewall changes its IP (due to DSL reconnect),
> > > the internal host never reconnects w/o manually restaring ipsec. Until
> > > I find out all TCP connections through ipsec have timed out and have
> > > been torn down :(
> > >
> > > Is there a way to force reconnects when there is a given timeout? Or
> > 
> > If both ends support it, you can enable Dead Peer Detection. It will
> > cause the tunnel to recover faster.
> 
> I'll try that, I thought that was already enabled (by the comments on
> the manpage the values for dpddelay/dpdtimeout already have non-zero
> default). But I should change dpdaction to clear and perhaps lower the
> dpdtimeout, or are 120+ seconds OK for keeping up the TCP connections
> over that tunnel?

I tried this and the detection seems to have worked, e.g. after 120
sec. the peer is declared dead:

Nov 25 18:20:34 neu pluto[27564]: ERROR: asynchronous network error report on ath0 (sport=4500) for message to 67.95.107.117 port 4500, complainant 192.168.42.111: Network is unreachable [errno 101, origin ICMP
 type 3 code 0 (not authenticated)]
Nov 25 18:22:34 neu pluto[27564]: "tww" #6: DPD: No response from peer - declaring peer dead
Nov 25 18:22:34 neu pluto[27564]: "tww" #6: DPD: Clearing Connection
Nov 25 18:22:34 neu pluto[27564]: "tww" #7: deleting state (STATE_QUICK_I2)
Nov 25 18:22:34 neu pluto[27564]: "tww" #6: deleting state (STATE_MAIN_I4)

But now nothing happens anymore. I had been sniffing the traffic over
the nat box and there is no attempt to reconnect.

> > But if your IP changes, then currently you will need to reload your
> > connection. You can do this using a custom updown script using
> > leftupdown=/some/script.sh
> 
> The IP of the laptop does not change, the IP of the natting firewall
> in front of it does.
> 
> > > should I better move the ipsec endpoint to the firewall, so that I
> > > have a triggering event to reconnect? I'd prefer to keep it on the
> > > roadwarrier laptop, though.
> > 
> > I am not sure if I understand your setup. You can have an ipsec
> > endpoint on your firewall, your laptop, or both.
> 
> It's like
> 
> =======================     =========================================
> |laptop 192.168.42.201|-----|192.168.42.111 nat box (dynamic dsl IP)|--- Outside
> =======================     =========================================
> 
> The changing IP is the one of the nat box, e.g. the right hand side
> sees the natted packages suddenly coming from another IP. The laptop
> never registers that the natting IP has changed.

-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061125/ecde8e13/attachment.bin

More information about the Users mailing list