[Openswan Users] recommended settings for a permanently up connection

Paul Wouters paul at xelerance.com
Tue Feb 19 05:56:40 EST 2008 

On Tue, 19 Feb 2008, hiren joshi wrote:

Don't set keyingtries, so it will try rekey without limitations.
If your link is congested, using DPD might cause more problems
then it solves.

Paul

> Date: Tue, 19 Feb 2008 12:25:32 +0530
> From: hiren joshi <joshihirenn at gmail.com>
> To:  <users at openswan.org>
> Subject: [Openswan Users] recommended settings for a permanently up connection
>
> Hi All,
>
> I want a net-to-net connection to be permanent.
> It should come up across link failures, ipsec service restarts, machine
> reboots.
>
> As per 'man ipsec.conf' i tried following parameters:
>
> ipsec gateway-1:
>
>        plutowait=yes (because sometimes some of my tunnels doesn't get
> established due to - "*can not start crypto helper: failed to find any
> available worker")
> *
>        auto=add
>
>        rekey=yes
>        keyingtries=3
>        rekeymargin=120 (seconds)
>        rekeyfuzz=10%
>        ikelife=3600
>        keylife=3600
>
>        dpdaction=restart
>
> ipsec gateway-2:
>
>        plutowait=yes*
> *
>        auto=start
>
>        rekey=yes
>        keyingtries=3
>        rekeymargin=120 (seconds)
>        rekeyfuzz=10%
>        ikelife=3600
>        keylife=3600
>
>        dpdaction=restart
>
>
> I tested this parameters using VMWare setup. But to my surprise it doesn't
> work persistently.
> My observation is -
>
> after peer is declared dead (from both the sides),
>
> 1) sometimes gateway-2 tries to reestablish the connection by initiating
> main mode repeatedly. gateway-1 also tries to do this but by initiating the
> connection only <keyingtries> times. Eventually when peer becomes available,
> connection is reestablished.
>
> 2) sometimes both tries to reestablish the connection only <keyingtries>
> times. Connection is not reestablished when peer becomes available.
>
> What could be the reason of this uneven behavior?
>
> Thanks in advance.
>
> -hiren
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list