[Openswan Users] Major problems with multiple tunnels on Fedora 11

Marek Greško gresko at thr.sk
Sat Jun 27 13:24:29 EDT 2009


> > The only issue I am now stuggling with is this:
> >
> > I have USB 3G modem connected with static public IP address to an Win XP
> > client which uses IPsec without NAT to an static public IP address range.
> > When I disconnect the modem, connect it to my Linux box without IPsec
> > configured and try to connect to the same IP range I get no answer until
> > restart of IPsec on the remote gateway. I understand what is going on.
> > The remote gateway holds the IPsec policy and tries to communicate
> > through previously created IPsec tunnel. But I have DPD (with policy
> > clear) configured and the tunnel never stops. Isn't the DPD intended to
> > be used to put down the tunnel when the oposite side does not use it?
>
> DPD only works if both ends support it. AFAIK, Windows XP does not support
> DPD.
>
> However, if you have uniqueids=yes,then setting up a new connection from a
> different IP should always replace the old connection. There is a specific
> "udp port 500 hole" for this. That is, the "drop all unencrypted" traffic
> excludes unencrypted udp 500 for this exact reason.

Strange. By manual the uniqueids is yes by default. I did not change it. When 
I put the Windows machine by NAT behind my Linux box and I restat ipsec on it, 
it works. But my Linux box still cannot reach the protected network until 
restat of ipsec on the remote side.

Marek



More information about the Users mailing list