[Openswan Users] vpn connection after internet reconnect

Axel Thimm Axel.Thimm at ATrpms.net
Sun Nov 26 13:35:23 EST 2006


On Sun, Nov 26, 2006 at 12:09:06AM +0100, Axel Thimm wrote:
> On Sun, Nov 26, 2006 at 12:02:31AM +0100, Paul Wouters wrote:
> > On Sat, 25 Nov 2006, Axel Thimm wrote:
> > 
> > > > If both ends support it, you can enable Dead Peer Detection. It will
> > > > cause the tunnel to recover faster.
> > >
> > > I'll try that, I thought that was already enabled (by the comments on
> > > the manpage the values for dpddelay/dpdtimeout already have non-zero
> > > default). But I should change dpdaction to clear and perhaps lower the
> > > dpdtimeout, or are 120+ seconds OK for keeping up the TCP connections
> > > over that tunnel?
> > 
> > I don't think dpdaction=restart will work if your ip address changed,
> > so you probably should use dpdaction=clear and have the updown script
> > do an ipsec auto --replace conn and ipsec auto --up conn.
> 
> Until now I wasn't ware of the restart option, I found it about half
> an hour ago by grepping through my archives. Makeing the laptop
> "restart" seems to restablish the connection in the logs, but I still
> can't pass a package through the tunnel. I then found out that 2.4.4
> has a bug (452) causing this. I continued digging and found that I
> need at least 2.4.6 to tyr this, so I'm currently packaging up 2.4.7.
> 
> I hope that 2.4.7 will do the right thing.

It looks much better now. It has some issues to reconnect immediately,
but the next try always succeeds and with

  dpddelay=10
  dpdtimeout=30
 
Everything happens in under 2 minutes, so no TCP connections are torn
down. :)

Here is the first failing attempt to reconnect for reference:

Nov 26 19:24:38 neu pluto[28763]: "tww" #7: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 26 19:24:38 neu pluto[28763]: "tww" #7: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 26 19:24:45 neu pluto[28763]: "tww" #7: discarding duplicate packet; already STATE_MAIN_I3
Nov 26 19:25:05 neu last message repeated 2 times
Nov 26 19:25:48 neu pluto[28763]: "tww" #7: max number of retransmissions (2) reached STATE_MAIN_I3.  Possible authentication failure: no acceptable response to our first encrypted message
Nov 26 19:25:48 neu pluto[28763]: "tww" #7: starting keying attempt 2 of an unlimited number, but releasing whack
Nov 26 19:25:48 neu pluto[28763]: "tww" #8: initiating Main Mode to replace #7

-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20061126/0463e76f/attachment.bin 


More information about the Users mailing list