[Openswan Users] DPD / Multiple SA

Paul Wouters paul at xelerance.com
Tue Nov 28 00:15:17 EST 2006 

On Mon, 27 Nov 2006, GODARD Jean-Charles wrote:

>
> I post this message to have some advices on an issue we have with a setup we implemented.
>
> |Oswan + Radius Srv|----(icmp/radius)----|Pix|----|Radius Server|
>
> We successfully built a tunnel to cisco box, we allow on this tunnel only icmp and radius traffic thanks to the right/leftprotoport= statement.
> So we have one phase1 (isakmp) SA and 5 phase 2 (ipsec) SA established.
>
> The next step is to implement DPD, so after digging on the web, mailing list archives... we found a configuration that works pretty fine in the most of the cases of failure... except one :(
>
> If we switch off the pix or if we unplug the network cable from the pix for a while and then restart/plug back the cable, DPD does it job, detecting the failure, removing the SAs and trying to renegotiate the lost SAs.
> The problem we have then, is that only one SA (random) is renegotiated and brought up automatically.
> We need to have all the SA renegotiated and up, even after a network failure.
> Even if we try to send some traffic in the tunnel, the SA are not renegotiated.
>
> What i can't understand, is why only one SA on the 5 SAs is brought up back, same for eroute, only one up, others are in hold or trap status...
>
> The renegotiation does not fail, it is simply not initiated :/
>
> I have seen in a recent post that we can adapt the _updown script to add "ipsec auto --replace conn" and "ipsec auto --up conn" but i did not succeed to find the correct way to achieve this :(

I thought we recently added a fix for this. Perhaps it did not make it in 2.4.7.
I'll get back to you on this one.

Paul

> Any ideas are welcome.
> Thanks for your help !
>
> ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path                                 [OK]
> Linux Openswan 2.4.7 (klips)
> Checking for IPsec support in kernel                            [OK]
> Checking for RSA private key (/etc/ipsec.secrets)               [OK]
> Checking that pluto is running                                  [OK]
> Two or more interfaces found, checking IP forwarding            [OK]
> Checking NAT and MASQUERADEing                                  [OK]
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
>
>
> Here are the conf  files in use :
> ========================
> /etc/ipsec.conf
> ========================
> ...
> include /etc/ipsec.d/ipsec.*.conf
>
> conn common
>         authby=secret
>         type=tunnel
>         auto=add  #We use a script to bring up the SAs in // @ startup
>         compress=yes
>         dpddelay=30
>         dpdtimeout=10
>         dpdaction=restart
>         # Left security gateway, subnet behind it, next hop toward right.
>         left=10.0.1.124
>         leftsubnet=10.0.1.123/32
>         leftnexthop=10.0.1.254
>
> ========================
> Conn Specific configuration file
> ========================
> conn cisco_SP_AUTH
>         also=common
>         pfs=no
>         keyexchange=ike
>         ike="3des-sha-modp1024"
>         ikelifetime=28800
>         esp="3des-md5"
>         keylife=3600s
>         # Left security gateway, subnet behind it, next hop toward right.
>         leftprotoport="17/1814"
>         # Right security gateway, subnet behind it, next hop toward left.
>         right=X.Y.Z.52
>         rightsubnet=X.Y.Z.57/32
>         rightprotoport="17/1812"
>
> conn cisco_SP_ACCT
>         also=common
>         pfs=no
>         keyexchange=ike
>         ike="3des-sha-modp1024"
>         ikelifetime=28800
>         esp="3des-md5"
>         keylife=3600s
>         # Left security gateway, subnet behind it, next hop toward right.
>         leftprotoport="17/1814"
>         # Right security gateway, subnet behind it, next hop toward left.
>         right=X.Y.Z.52
>         rightsubnet=X.Y.Z.57/32
>         rightprotoport="17/1813"
>
> conn cisco_NO_AUTH
>         also=common
>         pfs=no
>         keyexchange=ike
>         ike="3des-sha-modp1024"
>         ikelifetime=28800
>         esp="3des-md5"
>         keylife=3600s
>         # Left security gateway, subnet behind it, next hop toward right.
>         leftprotoport="17/1812"
>         # Right security gateway, subnet behind it, next hop toward left.
>         right=X.Y.Z.52
>         rightsubnet=X.Y.Z.57/32
>         rightprotoport="17/0"
>
> conn cisco_NO_ACCT
>         also=common
>         pfs=no
>         keyexchange=ike
>         ike="3des-sha-modp1024"
>         ikelifetime=28800
>         esp="3des-md5"
>         keylife=3600s
>         # Left security gateway, subnet behind it, next hop toward right.
>         leftprotoport="17/1813"
>         # Right security gateway, subnet behind it, next hop toward left.
>         right=X.Y.Z.52
>         rightsubnet=X.Y.Z.57/32
>         rightprotoport="17/0"
>
> conn cisco_ICMP
>         also=common
>         pfs=no
>         keyexchange=ike
>         ike="3des-sha-modp1024"
>         ikelifetime=28800
>         esp="3des-md5"
>         keylife=3600s
>         # Left security gateway, subnet behind it, next hop toward right.
>         leftprotoport="1/0"
>         # Right security gateway, subnet behind it, next hop toward left.
>         right=X.Y.Z.52
>         rightsubnet=X.Y.Z.57/32
>         rightprotoport="1/0"
>
>
>
> ---------------------------------
>  Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses.

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list