[Openswan Users] Dropping IPSec Connection

Muiz Motani muiz at askaritech.com
Tue Mar 27 17:06:30 EDT 2007 

Sorry about the HTML posting, I will try and post in text only mode again. My mail client 
automatically switched to Rich Text because of something in the barf output.

I am encountering a perplexing problem with my IPSec connection. I have 4 Bering uClibc 
routers with openswan patches and configuration. Three of the routers are connected to the 
central router in a hub and spoke configuration. The idea is to allow VPN access from the 
LAN behind the spoke routers to the LAN behind the hub router. All the IPSEc 
configurations are essentially the same on all the routers except for the IP addresses in 
ipsec.conf (of course) and the X509 certificates.

On one of the routers, the VPN drops after a while. Sometimes the period between drops is 
a few hours and sometimes it is as much as 2 days. The only way to re-establish the VPN is 
to restart IPSec on the spoke router. I managed to capture barf output (which was difficult 
since this router is in production and the users have learned to just restart the router in order 
to restart IPSec when things don't work). I found it interesting that when the ipsec0 link fails, 
ipsec_tncfg shows that the MTU for the underlying physical interface (eth0) is 0, as well as 
the effective MTU! You will also note that I have tried to limit the MTU using overridemtu to 
1400 since I originally suspected MTU issues. 

The interesting thing is that users are reporting that they can still access the internet through 
eth0 (e.g. they can still surf the web).

I also noticed that when this happens, there is a large packet loss (> 20%) on the link 
between the routers. 

So, my question is does anybody know what is going on? Could this be caused by dropped 
packets in the network?

Here is the extract from ipsec barf showing the tncfg output:

+ _________________________ proc/net/ipsec_tncfg
+ 
+ cat /proc/net/ipsec_tncfg
ipsec0 -> NULL mtu=1400(0) -> 0
ipsec1 -> NULL mtu=0(0) -> 0
ipsec2 -> NULL mtu=0(0) -> 0
ipsec3 -> NULL mtu=0(0) -> 0

Muiz Motani
muiz (@) askaritech dot com

More information about the Users mailing list