[Openswan Users] OpenSWAN, KLIPS, and dead tunnels
David McCullough
David_Mccullough at securecomputing.com
Wed Oct 7 19:12:56 EDT 2009
Jivin Diego Rivera lays it down ...
> Ok... so what you're saying is that restart_by_peer should have done the job, then? If so - then can you shed some more light into what the potential source of the problem is?
The most likely cause is version 2.6.22, I have included the changelog
below from 2.6.22 to 2.6.23, there were quite a few "tunnels won't
come up/restart" bugs fixed.
It would be best if you can try 2.6.23 so that any problems you see are
new ones ;-)
Cheers,
Davidm
* Support for dropping unneeded capabilities using libcap-ng [Avesh]
(Changed using USE_LIBCAP_NG= in Makefile.inc)
* Additional ASN.1 parser checks by David McCullough [David]
* PSK support with USE_LIBNSS [Avesh Agarwal]
* Allow multiple different PSK road warriors with Aggressive Mode [David]
* Additional KLIPS debugging can be enabled in /proc/net/ipsec_saraw [David]
* Extended fipschecks [Avesh Agarwal]
* auto=route tunnels could fail due to an Opportunstic Encryption bug [David]
* passthrough routes on NETKEY where missing a a policy [Michael H. Warfield]
* The init script was mistakenly installed twice, once as 'setup' [Paul/Harald]
* LSB compliance error in initscript (debian bug#537335) [Petter Reinholdtsen]
* Fix for old style nat-t patch on newstyle 2.6.23+ kernel [Paul]
* ipsec verify now returns non-zero when an error is encountered [Paul]
* Fix for ipsec whack --crash <IP> crasher [David]
* Partial fix for #1004. We no longer drop the port from protoport= [dhr/Paul]
transport mode L2TP now works again for the non-NAT'ed case
* Fix for size (XXX) differs from size specified in ISAKMP HDR (YYY) [David]
* Removed old USE_SMARTCARD code. Smartcards are now supported via NSS [Paul]
(not all code was properly #ifdef'ed, so a few changes outside #ifdef
SMARTCARD were needed)
* Prevent aggressive mode tunnels losing phase2 [David]
* Various fixes to eroutes [David]
* Bugtracker bugs fixed:
#1044: openswan.spec file builds an RPM that is missing lwdnsq [Joe Steele]
>
> Cheers.
>
> Paul Wouters wrote:
>
> On Wed, 7 Oct 2009, Diego Rivera wrote:
>
>
>
> I was using restart_by_peer but from what Paul says, that option means wait for the other side to
> re-establish the tunnel. Thus, nobody tries to re-establish (since both sides are configured identically,
> for easy maintenance).
>
>
>
> I was wrong. David was right :)
>
> Paul
>
>
>
> --
>
> Diego Rivera
> Director / System Operations
> Roundbox Global : enterprise : technology : genius
> ------------------------------------------------------------------------------------------------------------------
> Avenida 11 y Calle 7-9, Barrio Am??n, San Jos??, Costa Rica
> tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506) 2258-3695
> email: diego.rivera at rbxglobal.com | www.rbxglobal.com
> ------------------------------------------------------------------------------------------------------------------
>
>
> Content-Type: multipart/signed; micalg=pgp-sha1;
> protocol="application/pgp-signature";
> boundary="------------enigAA960B031FE487E074E8895C"
>
> --------------enigAA960B031FE487E074E8895C
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
>
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta content=3D"text/html;charset=3DISO-8859-1" http-equiv=3D"Content-=
> Type">
> </head>
> <body bgcolor=3D"#ffffff" text=3D"#000000">
> Ok... so what you're saying is that restart_by_peer should have done
> the job, then? If so - then can you shed some more light into what =
> the
> potential source of the problem is?<br>
> <br>
> Cheers.<br>
> <br>
> Paul Wouters wrote:
> <blockquote
> cite=3D"mid:alpine.LFD.1.10.0910071852200.12140 at newtla.xelerance.com"
> type=3D"cite">On Wed, 7 Oct 2009, Diego Rivera wrote:
> <br>
> <br>
> <blockquote type=3D"cite">I was using restart_by_peer but from what
> Paul says, that option means wait for the other side to
> <br>
> re-establish the tunnel. Thus, nobody tries to re-establish (since
> both sides are configured identically,
> <br>
> for easy maintenance).
> <br>
> </blockquote>
> <br>
> I was wrong. David was right :)
> <br>
> <br>
> Paul
> <br>
> </blockquote>
> <br>
> <div class=3D"moz-signature">-- <br>
> <style type=3D"text/css">
> p { margin: 0; }
> </style>
> <div style=3D"font-family: Arial; font-size: 10pt; color: rgb(0, 0, 0);">=
>
> <font size=3D"1"> Diego Rivera<br>
> Director / System Operations<br>
> Roundbox Global : <span
> style=3D"font-style: italic; color: rgb(102, 102, 102);">enterprise :
> technology : genius</span><br>
> -------------------------------------------------------------------------=
> -----------------------------------------<br>
> Avenida 11 y Calle 7-9, Barrio Amón, San José, Costa Rica<b=
> r>
> tel: +1 (404) 567-5000 ext. 2147 | cel: +(506) 8393-0772 | fax: +(506)
> 2258-3695<br>
> email: <a href=3D"mailto:diego.rivera at rbxglobal.com">diego.rivera at rbxglob=
> al.com</a>
> | <a href=3D"http://www.rbxglobal.com">www.rbxglobal.com</a><br>
> -------------------------------------------------------------------------=
> -----------------------------------------<br>
> </font> </div>
> </div>
> </body>
> </html>
>
>
> --------------enigAA960B031FE487E074E8895C
> Content-Type: application/pgp-signature; name="signature.asc"
> Content-Description: OpenPGP digital signature
> Content-Disposition: attachment; filename="signature.asc"
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.12 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrNHG4ACgkQCNJ6MS9YngWAMwCbBt8lUPHDUZ0guPfnCDf6ZLjH
> /UwAni4UumFFXJ/U6iIuNtvzxnGCzjnZ
> =YpwI
> -----END PGP SIGNATURE-----
>
> --------------enigAA960B031FE487E074E8895C--
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list