[Openswan Users] OpenSWAN, KLIPS, and dead tunnels
Paul Wouters
paul at xelerance.com
Wed Oct 7 16:02:11 EDT 2009
On Wed, 7 Oct 2009, Diego Rivera wrote:
> However, if the tunnel is up and one of the nodes disappears - due to an
> outage, machine crash, whatever - then I have a problem that I can't
> really find a solution for: the tunnel is dead, but the KLIPS policies
> still remain in place.
And it prevents plaintext packets from accidentally lekaing out.
> The only solution is to manually jump into the box and restart the IPSec
> service, forcing the policies to be taken down, to be re-added when the
> tunnel is back up. This is manageable, but less than ideal.
>
> My perception of how this should really function is that when the peer
> is found to be down (we do have DPD configured on both ends so this
DPD should do the trick.
> However, this isn't happening and I'm not sure if it's due to
> misconfiguration (perhaps I should use dpdaction=clear instead of
> restart_by_peer?), or due to a software defect in OpenSWAN. Any
restart_by_peer means the equivalent of auto=add. You wait on the other
end to connect. Which should work if your other end would be using DPD,
but if both ends use restart_by_peer, neither end will restart the
connectin.
Paul
More information about the Users
mailing list