[Openswan Users] OpenSWAN, KLIPS, and dead tunnels

David McCullough David_Mccullough at securecomputing.com
Wed Oct 7 17:29:33 EDT 2009

Jivin Paul Wouters lays it down ...
> On Wed, 7 Oct 2009, Diego Rivera wrote:
> > However, if the tunnel is up and one of the nodes disappears - due to an
> > outage, machine crash, whatever - then I have a problem that I can't
> > really find a solution for: the tunnel is dead, but the KLIPS policies
> > still remain in place.
> And it prevents plaintext packets from accidentally lekaing out.
> > The only solution is to manually jump into the box and restart the IPSec
> > service, forcing the policies to be taken down, to be re-added when the
> > tunnel is back up.  This is manageable, but less than ideal.
> >
> > My perception of how this should really function is that when the peer
> > is found to be down (we do have DPD configured on both ends so this
> DPD should do the trick.
> > However, this isn't happening and I'm not sure if it's due to
> > misconfiguration (perhaps I should use dpdaction=clear instead of
> > restart_by_peer?), or due to a software defect in OpenSWAN.  Any
> restart_by_peer means the equivalent of auto=add. You wait on the other
> end to connect. Which should work if your other end would be using DPD,
> but if both ends use restart_by_peer, neither end will restart the
> connectin.

That wasn't my impression.  It should basically be the same as restart,
except that all tunnels to the same peer will be taken down at the same time
to be restarted.  I am fairly sure there is an "initiate" call in the code
path for when this happens.  If it doesn't do this I am in trouble :-)

Which version of openswan are you running ?


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list