[Openswan Users] OpenSWAN, KLIPS, and dead tunnels

David McCullough David_Mccullough at securecomputing.com
Wed Oct 7 19:12:56 EDT 2009


Jivin Diego Rivera lays it down ...
> Ok... so what you're saying is that restart_by_peer should have done the job, then?  If so - then can you shed some more light into what the potential source of the problem is?

The most likely cause is version 2.6.22,  I have included the changelog
below from 2.6.22 to 2.6.23,  there were quite a few "tunnels won't
come up/restart" bugs fixed.

It would be best if you can try 2.6.23 so that any problems you see are
new ones ;-)

Cheers,
Davidm

* Support for dropping unneeded capabilities using libcap-ng [Avesh]
  (Changed using  USE_LIBCAP_NG= in Makefile.inc)
* Additional ASN.1 parser checks by David McCullough [David]
* PSK support with USE_LIBNSS [Avesh Agarwal]
* Allow multiple different PSK road warriors with Aggressive Mode [David]
* Additional KLIPS debugging can be enabled in /proc/net/ipsec_saraw [David]
* Extended fipschecks [Avesh Agarwal]
* auto=route tunnels could fail due to an Opportunstic Encryption bug [David]
* passthrough routes on NETKEY where missing a a policy [Michael H. Warfield]
* The init script was mistakenly installed twice, once as 'setup' [Paul/Harald]
* LSB compliance error in initscript (debian bug#537335) [Petter Reinholdtsen]
* Fix for old style nat-t patch on newstyle 2.6.23+ kernel [Paul]
* ipsec verify now returns non-zero when an error is encountered [Paul]
* Fix for ipsec whack --crash <IP> crasher [David]
* Partial fix for #1004. We no longer drop the port from protoport= [dhr/Paul]
  transport mode L2TP now works again for the non-NAT'ed case
* Fix for size (XXX) differs from size specified in ISAKMP HDR (YYY) [David]
* Removed old USE_SMARTCARD code. Smartcards are now supported via NSS [Paul]
  (not all code was properly #ifdef'ed, so a few changes outside #ifdef
   SMARTCARD were needed)
* Prevent aggressive mode tunnels losing phase2 [David]
* Various fixes to eroutes [David]
* Bugtracker bugs fixed:
   #1044: openswan.spec file builds an RPM that is missing lwdnsq [Joe Steele]


> 
> Cheers.
> 
> Paul Wouters wrote: 
> 
> 	On Wed, 7 Oct 2009, Diego Rivera wrote: 
> 	
> 	
> 
> 		I was using restart_by_peer but from what Paul says, that option means wait for the other side to 
> 		re-establish the tunnel.  Thus, nobody tries to re-establish (since both sides are configured identically, 
> 		for easy maintenance). 
> 		
> 
> 
> 	I was wrong. David was right :) 
> 	
> 	Paul 
> 	
> 
> 
> -- 
> 
> Diego Rivera
> Director / System Operations
> Roundbox Global : enterprise : technology : genius
> ------------------------------------------------------------------------------------------------------------------
> Avenida 11 y Calle 7-9, Barrio Am??n, San Jos??, Costa Rica
> tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695
> email: diego.rivera at rbxglobal.com | www.rbxglobal.com
> ------------------------------------------------------------------------------------------------------------------
> 
> 

> Content-Type: multipart/signed; micalg=pgp-sha1;
> 	protocol="application/pgp-signature";
> 	boundary="------------enigAA960B031FE487E074E8895C"
> 
> --------------enigAA960B031FE487E074E8895C
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>   <meta content=3D"text/html;charset=3DISO-8859-1" http-equiv=3D"Content-=
> Type">
> </head>
> <body bgcolor=3D"#ffffff" text=3D"#000000">
> Ok... so what you're saying is that restart_by_peer should have done
> the job, then?&nbsp; If so - then can you shed some more light into what =
> the
> potential source of the problem is?<br>
> <br>
> Cheers.<br>
> <br>
> Paul Wouters wrote:
> <blockquote
>  cite=3D"mid:alpine.LFD.1.10.0910071852200.12140 at newtla.xelerance.com"
>  type=3D"cite">On Wed, 7 Oct 2009, Diego Rivera wrote:
>   <br>
>   <br>
>   <blockquote type=3D"cite">I was using restart_by_peer but from what
> Paul says, that option means wait for the other side to
>     <br>
> re-establish the tunnel.&nbsp; Thus, nobody tries to re-establish (since
> both sides are configured identically,
>     <br>
> for easy maintenance).
>     <br>
>   </blockquote>
>   <br>
> I was wrong. David was right :)
>   <br>
>   <br>
> Paul
>   <br>
> </blockquote>
> <br>
> <div class=3D"moz-signature">-- <br>
> <style type=3D"text/css">
> 			p { margin: 0; }
> 		</style>
> <div style=3D"font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">=
> 
> <font size=3D"1"> Diego Rivera<br>
> Director / System Operations<br>
> Roundbox Global : <span
>  style=3D"font-style: italic; color: rgb(102, 102, 102);">enterprise :
> technology : genius</span><br>
> -------------------------------------------------------------------------=
> -----------------------------------------<br>
> Avenida 11 y Calle 7-9, Barrio Am&oacute;n, San Jos&eacute;, Costa Rica<b=
> r>
> tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
> 2258-3695<br>
> email: <a href=3D"mailto:diego.rivera at rbxglobal.com">diego.rivera at rbxglob=
> al.com</a>
> | <a href=3D"http://www.rbxglobal.com">www.rbxglobal.com</a><br>
> -------------------------------------------------------------------------=
> -----------------------------------------<br>
> </font> </div>
> </div>
> </body>
> </html>
> 
> 
> --------------enigAA960B031FE487E074E8895C
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkrNHG4ACgkQCNJ6MS9YngWAMwCbBt8lUPHDUZ0guPfnCDf6ZLjH
> /UwAni4UumFFXJ/U6iIuNtvzxnGCzjnZ
> =YpwI
> -----END PGP SIGNATURE-----
> 
> --------------enigAA960B031FE487E074E8895C--


-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


More information about the Users mailing list