[Openswan Users] vpn connection after internet reconnect

Axel Thimm Axel.Thimm at ATrpms.net
Sat Nov 25 18:09:06 EST 2006

On Sun, Nov 26, 2006 at 12:02:31AM +0100, Paul Wouters wrote:
> On Sat, 25 Nov 2006, Axel Thimm wrote:
> > > If both ends support it, you can enable Dead Peer Detection. It will
> > > cause the tunnel to recover faster.
> >
> > I'll try that, I thought that was already enabled (by the comments on
> > the manpage the values for dpddelay/dpdtimeout already have non-zero
> > default). But I should change dpdaction to clear and perhaps lower the
> > dpdtimeout, or are 120+ seconds OK for keeping up the TCP connections
> > over that tunnel?
> I don't think dpdaction=restart will work if your ip address changed,
> so you probably should use dpdaction=clear and have the updown script
> do an ipsec auto --replace conn and ipsec auto --up conn.

Until now I wasn't ware of the restart option, I found it about half
an hour ago by grepping through my archives. Makeing the laptop
"restart" seems to restablish the connection in the logs, but I still
can't pass a package through the tunnel. I then found out that 2.4.4
has a bug (452) causing this. I continued digging and found that I
need at least 2.4.6 to tyr this, so I'm currently packaging up 2.4.7.

I hope that 2.4.7 will do the right thing.

> > > But if your IP changes, then currently you will need to reload your
> > > connection. You can do this using a custom updown script using
> > > leftupdown=/some/script.sh
> >
> > The IP of the laptop does not change, the IP of the natting firewall
> > in front of it does.
> > =======================     =========================================
> > |laptop|-----| nat box (dynamic dsl IP)|--- Outside
> > =======================     =========================================
> >
> > The changing IP is the one of the nat box, e.g. the right hand side
> > sees the natted packages suddenly coming from another IP. The laptop
> > never registers that the natting IP has changed.
> So what tunnel(s) do you have? I am still confused. You don't have a
> tunnel from your laptop to the outside, but only from the natbox,

No, the nat box knows nothing about ipsec, it's the laptop that
connects through the nat box to the outside.

> but I'm not sure what range is it then tunneling for?

It's a host-to subnet, e.g.


> Perhaps you want/need to tunnels. One on the natbox and one on the laptop?
> Or perhaps just only one on the laptop with l2tp getting an IP address from
> some remote location?

No, just the laptop and no l2tp. It all works until the natbox changes
its external IP. then the "right" hosts sees the packages coming from
a wrong IP and drops them. The DPD code works properly on the laptop
and the connections is condered dead after the given amount of
time. It just doesn't want to restart on the laptop, and I guess
that's bug 452 on 2.4.6. So hopefully, once 2.4.7 is running I'll just
confirm that it was this bug. :)
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061126/9b412a0d/attachment.bin 

More information about the Users mailing list