[Openswan Users] L2TP/IPSec breaks after 1 hour, no further login possible

Muenz, Michael m.muenz at spam-fetish.org
Thu Jul 10 04:13:45 EDT 2008


I've set up a L2TP/IPSec for a couple of users and it runs
fine for the last months. Since more and more users are using
it they are reporting that after one hour doing nothing with
the VPN the connection breaks and a relogin isn't possible.

The system is a Debian Etch, OpenSwan 2.4.12 with xl2tp 1.1.12.

In the logs I can see:

"roadwarrior" #113309: initiating Main Mode to replace #XXX
pluto: ERROR: "roadwarrior-" X.X.X.X #XXX: sendto on eth0 to X.X.X.X:500 
failed in EVENT_RETRA
NSMIT. Errno 1: Operation not permitted

iptables permits temporarily anything, SELinx runs only permissive.

My first thought is, that the client logins to VPN, doing nothing,
after one hour the VPN server wants to rekey, sends a packet out,
and the router in front of the client drops the packet because no
connection is known.

I'm wondering if there a no keepalives sent from the client?
Will I have to tweak the Windows roadwarriors sending keepalives?

How about configuring DPD for roadwarriors cleaning up dead
connections after 2 minutes to let the clients relogin again after
that period?


More information about the Users mailing list