[Openswan Users] Need to restart service when internet link fails

[Paul Wouters]

On Fri, 24 Aug 2007, Matias Gut wrote:

> I installed a vpn between openswan and a Cisco Pix. Everythings works fine.
> The only trouble I need to solve is that when internet link fails (even
> if it's a very short failure) the tunnel does not establish again, when
> the internet connection returns.
> In that cases I need to restart the service: /etc/init.d/ipsec restart
> and then the tunnel is established.
> Does anybody knows what could I do? Bellow is my config of the openswan

Yes, when using klips, you will need to restart it. An alternative is to
just re-attach the virtual device to the physical (ppp0?) device again in
the appropriate ip-up script. eg:

#!/bin/sh

if [ -f /var/run/pluto.pid ]
then
        echo "IPsec is running, fixing ipsec over ppp"
        echo "Detaching ipsec0 from previous ppp0 device"
        ipsec tncfg --detach --virtual ipsec0 > /dev/null 2> /dev/null
        echo "Attaching ipsec0 to new ppp0"
        ipsec tncfg --attach --virtual ipsec0 --physical ppp0
fi

Note that between the two tncfg commands, you can in theory leak packets onto
the net that are normally encrypted or blocked. If that is a concern, you
should probably add some firewall ruling around those commands, or just
run a 'service ipsec restart' which does not suffer from this issue.