[Openswan Users] recommended settings for a permanently up connection

[hiren joshi]

Hi All,

I want a net-to-net connection to be permanent.
It should come up across link failures, ipsec service restarts, machine
reboots.

As per 'man ipsec.conf' i tried following parameters:

ipsec gateway-1:

       plutowait=yes (because sometimes some of my tunnels doesn't get
established due to - "*can not start crypto helper: failed to find any
available worker")
*
       auto=add

       rekey=yes
       keyingtries=3
       rekeymargin=120 (seconds)
       rekeyfuzz=10%
       ikelife=3600
       keylife=3600

       dpdaction=restart

ipsec gateway-2:

       plutowait=yes*
*
       auto=start

       rekey=yes
       keyingtries=3
       rekeymargin=120 (seconds)
       rekeyfuzz=10%
       ikelife=3600
       keylife=3600

       dpdaction=restart


I tested this parameters using VMWare setup. But to my surprise it doesn't
work persistently.
My observation is -

after peer is declared dead (from both the sides),

1) sometimes gateway-2 tries to reestablish the connection by initiating
main mode repeatedly. gateway-1 also tries to do this but by initiating the
connection only <keyingtries> times. Eventually when peer becomes available,
connection is reestablished.

2) sometimes both tries to reestablish the connection only <keyingtries>
times. Connection is not reestablished when peer becomes available.

What could be the reason of this uneven behavior?

Thanks in advance.

-hiren
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080219/e0e91697/attachment.html