[Openswan Users] "Virtual IP x.x.x.x is already used" - connection cached?

Tue Jul 3 17:37:49 EDT 2007

On Tue, 3 Jul 2007, Nels Lindquist wrote:

The SPD entry stays in the kernel until it expires.
For this to properly work, you will need the L2TP Enhancement.

Paul

> Date: Tue, 03 Jul 2007 14:59:39 -0600
> From: Nels Lindquist <nlindq at maei.ca>
> To:  <users at openswan.org>
> Subject: [Openswan Users] "Virtual IP x.x.x.x is already used" - connection
>     cached?
>
> I'm using OpenSWAN 2.4.8, and I'm being stung by the Virtual IP handling
> issue, though not in the way that I understood it.
>
> My impression was that it's not currently possible to have multiple L2TP
> users behind a single NAT firewall simultaneously, but that it was
> possible to do so serially.
>
> However, when User A disconnects their L2TP session, the tunnel is torn
> down and the kernel SAD entry is flushed, but the kernel SPD (Security
> Policy Database) entry remains cached.
>
> When User B attempts to connect, they get an error, and the "Virtual IP
> x.x.x.x is already used" message shows up in the log.
>
> If I do "ipsec auto --replace [l2tpd-connection-definition]" then User B
> can connect, but User A now can't connect after User B disconnects.
>
> On the OpenSWAN side, it's a standard L2TP roadwarrior connection, with
> dpdaction=clear defined.
>
> Is there some other configuration directive I need to convince OpenSWAN
> to remove the SPD entry when the tunnel is torn down?
>
> Thanks very much!
>
> Nels Lindquist
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155