[Openswan Users] DPD / Multiple SA

GODARD Jean-Charles jcgodard at yahoo.fr
Mon Nov 27 17:08:51 EST 2006


Hi there,

I post this message to have some advices on an issue we have with a setup we implemented.

|Oswan + Radius Srv|----(icmp/radius)----|Pix|----|Radius Server|

We successfully built a tunnel to cisco box, we allow on this tunnel only icmp and radius traffic thanks to the right/leftprotoport= statement.
So we have one phase1 (isakmp) SA and 5 phase 2 (ipsec) SA established.

The next step is to implement DPD, so after digging on the web, mailing list archives... we found a configuration that works pretty fine in the most of the cases of failure... except one :(

If we switch off the pix or if we unplug the network cable from the pix for a while and then restart/plug back the cable, DPD does it job, detecting the failure, removing the SAs and trying to renegotiate the lost SAs.
The problem we have then, is that only one SA (random) is renegotiated and brought up automatically.
We need to have all the SA renegotiated and up, even after a network failure.
Even if we try to send some traffic in the tunnel, the SA are not renegotiated.

What i can't understand, is why only one SA on the 5 SAs is brought up back, same for eroute, only one up, others are in hold or trap status...

The renegotiation does not fail, it is simply not initiated :/

I have seen in a recent post that we can adapt the _updown script to add "ipsec auto --replace conn" and "ipsec auto --up conn" but i did not succeed to find the correct way to achieve this :(

Any ideas are welcome.
Thanks for your help !

ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.4.7 (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]


Here are the conf  files in use :
========================
/etc/ipsec.conf
========================
...
include /etc/ipsec.d/ipsec.*.conf

conn common
        authby=secret
        type=tunnel
        auto=add  #We use a script to bring up the SAs in // @ startup
        compress=yes
        dpddelay=30
        dpdtimeout=10
        dpdaction=restart
        # Left security gateway, subnet behind it, next hop toward right.
        left=10.0.1.124
        leftsubnet=10.0.1.123/32
        leftnexthop=10.0.1.254

========================
Conn Specific configuration file
========================
conn cisco_SP_AUTH
        also=common
        pfs=no
        keyexchange=ike
        ike="3des-sha-modp1024"
        ikelifetime=28800
        esp="3des-md5"
        keylife=3600s
        # Left security gateway, subnet behind it, next hop toward right.
        leftprotoport="17/1814"
        # Right security gateway, subnet behind it, next hop toward left.
        right=X.Y.Z.52
        rightsubnet=X.Y.Z.57/32
        rightprotoport="17/1812"

conn cisco_SP_ACCT
        also=common
        pfs=no
        keyexchange=ike
        ike="3des-sha-modp1024"
        ikelifetime=28800
        esp="3des-md5"
        keylife=3600s
        # Left security gateway, subnet behind it, next hop toward right.
        leftprotoport="17/1814"
        # Right security gateway, subnet behind it, next hop toward left.
        right=X.Y.Z.52
        rightsubnet=X.Y.Z.57/32
        rightprotoport="17/1813"

conn cisco_NO_AUTH
        also=common
        pfs=no
        keyexchange=ike
        ike="3des-sha-modp1024"
        ikelifetime=28800
        esp="3des-md5"
        keylife=3600s
        # Left security gateway, subnet behind it, next hop toward right.
        leftprotoport="17/1812"
        # Right security gateway, subnet behind it, next hop toward left.
        right=X.Y.Z.52
        rightsubnet=X.Y.Z.57/32
        rightprotoport="17/0"

conn cisco_NO_ACCT
        also=common
        pfs=no
        keyexchange=ike
        ike="3des-sha-modp1024"
        ikelifetime=28800
        esp="3des-md5"
        keylife=3600s
        # Left security gateway, subnet behind it, next hop toward right.
        leftprotoport="17/1813"
        # Right security gateway, subnet behind it, next hop toward left.
        right=X.Y.Z.52
        rightsubnet=X.Y.Z.57/32
        rightprotoport="17/0"

conn cisco_ICMP
        also=common
        pfs=no
        keyexchange=ike
        ike="3des-sha-modp1024"
        ikelifetime=28800
        esp="3des-md5"
        keylife=3600s
        # Left security gateway, subnet behind it, next hop toward right.
        leftprotoport="1/0"
        # Right security gateway, subnet behind it, next hop toward left.
        right=X.Y.Z.52
        rightsubnet=X.Y.Z.57/32
        rightprotoport="1/0"


 		
---------------------------------
 Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061127/1f9c8dd4/attachment-0001.html 


More information about the Users mailing list