[Openswan Users] VPN stops working after a week

Bas Rijniersce bas at brijn.nu
Tue Feb 27 15:15:44 EST 2007 

Hello,

> > This seems to be a icm error: 3, code 4. That would be
> > (http://www.iana.org/assignments/icmp-parameters):
> > 	3     Destination Unreachable
> > 		4  Fragmentation Needed and Don't Fragment was Set
> 
> > My large ping test is not a good test it seems? Ahy idea whu this 
> > problems only triggers after about a week, and why it's 
> then for ALL 
> > packets and not just large ones.
 
> I would say that routing between the two endpoints changed. 
> Eg your ISP went from peering to transit, or some transit 
> provider was unavailable or something.

I forgot one important piece of information. When I reboot the firewall it
works OK again. Just a restart of the ipsec service is not enough. If there
is a routing problem, shouldn't a restart of the ipsec service not be
enough. Tunnel is rebuild and the  packets follow the new route? Since the
VPN is OK after a reboot, it seems there is no persistent routing problem?
 
Just did some more testing, pinging from the Windows box on the inside was
not a good test. I just did the same from the Linux box and then my pings
failed just short of 1500. I now set overridemtu=1400. My pings go thru now
independent of the ping size. 

I have no idea if that would explain a weekly problem that only goes away
with a reboot. But it's at least a good thing

>From another mail to the list I saw the ipsec verify command. When I run
this I get:
-------------------------
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan 2.CVSHEAD (klips)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing
Checking tun0x1004 at 66.119.179.10 from 192.168.70.0/24 to 172.16.7.13/32
[FAILED]
LOG from 192.168.70.0/24 to 0.0.0.0/0 kills tunnel 192.168.70.0/24 ->
172.16.7.13/32
        [FAILED]
MASQUERADE from 192.168.70.0/24 to 0.0.0.0/0 kills tunnel 192.168.70.0/24 ->
172.16.7.13/32
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
-------------------------

In my firewall software I changed MASQ so that it only masq's stuff going
out over eth0, not ipsec0. Error still there, I would expect packets to
172.16.7.13 only to go thru the ipsec0 interface (inside the tunnel).

What does the LOG kills tunnel mean exactly, LOG seems innocent :)
 
> Paul
> --
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> 
> !DSPAM:45e4837d42551804284693!
>

More information about the Users mailing list