[Openswan Users] vpn connection after internet reconnect

Paul Wouters paul at xelerance.com
Sat Nov 25 18:02:31 EST 2006

On Sat, 25 Nov 2006, Axel Thimm wrote:

> > If both ends support it, you can enable Dead Peer Detection. It will
> > cause the tunnel to recover faster.
> I'll try that, I thought that was already enabled (by the comments on
> the manpage the values for dpddelay/dpdtimeout already have non-zero
> default). But I should change dpdaction to clear and perhaps lower the
> dpdtimeout, or are 120+ seconds OK for keeping up the TCP connections
> over that tunnel?

I don't think dpdaction=restart will work if your ip address changed,
so you probably should use dpdaction=clear and have the updown script
do an ipsec auto --replace conn and ipsec auto --up conn.

> > But if your IP changes, then currently you will need to reload your
> > connection. You can do this using a custom updown script using
> > leftupdown=/some/script.sh
> The IP of the laptop does not change, the IP of the natting firewall
> in front of it does.

> =======================     =========================================
> |laptop|-----| nat box (dynamic dsl IP)|--- Outside
> =======================     =========================================
> The changing IP is the one of the nat box, e.g. the right hand side
> sees the natted packages suddenly coming from another IP. The laptop
> never registers that the natting IP has changed.

So what tunnel(s) do you have? I am still confused. You don't have a
tunnel from your laptop to the outside, but only from the natbox, but
I'm not sure what range is it then tunneling for?

Perhaps you want/need to tunnels. One on the natbox and one on the laptop?
Or perhaps just only one on the laptop with l2tp getting an IP address from
some remote location?

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list