[Openswan Users] constantly increasing number of tunnels, stopping ipsec

Stefan Günther s.guenther at in-put.de
Tue Aug 21 13:33:22 EDT 2007


Hello,

we are running openswan-2.4.6-25 on SuSE 10.2 configured for 8 tunnels, 
the other end of the tunnel is always a Draytek Vigor router.

According to /var/log/messages openswan starts without a problem and all 
routers are able to connect.

When I monitor the status of the tunnels with

watch /etc/init.d/ipsec status

the output starts with 6 tunnels, then jumps to 9 number, adding another 
tunnel every 15 seconds!

After a while we have to restart ipsec, because the routers can't connect.

We have another openswan installation running with 11 tunnels and 
openswan on both sides. Since the configuration for these two 
installations is nearly the same, I fear that at least one of the 
Drayteks is running wild.

Here is the openswan configuration:

version 2.0
config setup
         interfaces="ipsec0=dsl0"
         klipsdebug=none
         plutodebug=none
         uniqueids=yes
         forwardcontrol=yes

conn %default
         pfs=yes
         left=xx.xx.xx.xx
         leftnexthop=yy.yy.yy.yy
         leftsubnet=192.168.8.0/24
         authby=secret
         auto=add
         rekey=yes
         compress=yes
         disablearrivalcheck=no
         type=tunnel
         right=%any

conn verbindung0
         rightsubnet=192.168.0.0/24

conn verbindung2
         rightsubnet=192.168.2.0/24

conn verbindung3
         rightsubnet=192.168.3.0/24

conn verbindung1
         rightsubnet=192.168.1.0/24

conn verbindung33
         rightsubnet=192.168.33.0/24

conn verbindung9
         rightsubnet=192.168.9.0/24

conn verbindung4
         rightsubnet=192.168.4.0/24

conn verbindung5
         rightsubnet=192.168.5.0/24

include /etc/ipsec.d/examples/no_oe.conf

Any hints or comments are appreciated.

Thanks in advance,

Stefan
-- 

********************************************
in-put GbR - Das Linux-Systemhaus
Stefan-Michael Guenther
Moltkestrasse 49     D-76133 Karlsruhe
Tel./Fax : +49 (0)721 / 83044 - 98/93
http://www.in-put.de
********************************************
      Schulungen  Installationen
          Beratung   Support
       Voice-over-IP-Loesungen
********************************************



More information about the Users mailing list