[Openswan Users] VPN stops working after a week

Paul Wouters paul at xelerance.com
Tue Feb 27 16:13:21 EST 2007


On Tue, 27 Feb 2007, Bas Rijniersce wrote:

> I forgot one important piece of information. When I reboot the firewall it
> works OK again. Just a restart of the ipsec service is not enough.

Odd. You can try doing "ipsec barf" before and after the problem and compare
the two (after cutting off the logs/timestamps)

> Just did some more testing, pinging from the Windows box on the inside was
> not a good test. I just did the same from the Linux box and then my pings
> failed just short of 1500. I now set overridemtu=1400. My pings go thru now
> independent of the ping size.

Good.

> Checking NAT and MASQUERADEing
> Checking tun0x1004 at 66.119.179.10 from 192.168.70.0/24 to 172.16.7.13/32
> [FAILED]
> LOG from 192.168.70.0/24 to 0.0.0.0/0 kills tunnel 192.168.70.0/24 ->
> 172.16.7.13/32
>         [FAILED]
> MASQUERADE from 192.168.70.0/24 to 0.0.0.0/0 kills tunnel 192.168.70.0/24 ->
> 172.16.7.13/32
> Checking for 'ip' command                                       [OK]
> Checking for 'iptables' command                                 [OK]
> Opportunistic Encryption Support                                [DISABLED]
> -------------------------
>
> In my firewall software I changed MASQ so that it only masq's stuff going
> out over eth0, not ipsec0. Error still there, I would expect packets to
> 172.16.7.13 only to go thru the ipsec0 interface (inside the tunnel).
>
> What does the LOG kills tunnel mean exactly, LOG seems innocent :)

Yes. the code to test this in ipsec verify isn't perfect. I just logged two
bug entries for this. Thanks :)

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list