[Openswan Users] Dropping IPSec Connection
muiz at askaritech.com
Tue Mar 27 17:06:30 EDT 2007
Sorry about the HTML posting, I will try and post in text only mode again. My mail client
automatically switched to Rich Text because of something in the barf output.
I am encountering a perplexing problem with my IPSec connection. I have 4 Bering uClibc
routers with openswan patches and configuration. Three of the routers are connected to the
central router in a hub and spoke configuration. The idea is to allow VPN access from the
LAN behind the spoke routers to the LAN behind the hub router. All the IPSEc
configurations are essentially the same on all the routers except for the IP addresses in
ipsec.conf (of course) and the X509 certificates.
On one of the routers, the VPN drops after a while. Sometimes the period between drops is
a few hours and sometimes it is as much as 2 days. The only way to re-establish the VPN is
to restart IPSec on the spoke router. I managed to capture barf output (which was difficult
since this router is in production and the users have learned to just restart the router in order
to restart IPSec when things don't work). I found it interesting that when the ipsec0 link fails,
ipsec_tncfg shows that the MTU for the underlying physical interface (eth0) is 0, as well as
the effective MTU! You will also note that I have tried to limit the MTU using overridemtu to
1400 since I originally suspected MTU issues.
The interesting thing is that users are reporting that they can still access the internet through
eth0 (e.g. they can still surf the web).
I also noticed that when this happens, there is a large packet loss (> 20%) on the link
between the routers.
So, my question is does anybody know what is going on? Could this be caused by dropped
packets in the network?
Here is the extract from ipsec barf showing the tncfg output:
+ _________________________ proc/net/ipsec_tncfg
+ cat /proc/net/ipsec_tncfg
ipsec0 -> NULL mtu=1400(0) -> 0
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0
muiz (@) askaritech dot com
More information about the Users