[Openswan Users] OpenSWAN, KLIPS, and dead tunnels

Benny Amorsen benny+usenet at amorsen.dk
Sat Oct 17 13:06:58 EDT 2009 

Paul Wouters <paul at xelerance.com> writes:

> They don't "disappear". If you still have a working ISAKMP SA, the IPsec SA
> can:
>
> - Rekey
> - Expire without rekeying
> - Rekey on receiving a packet for the tunnel
>
> However, with an ISAKMP Sa still working, the IPsec SA does not "disappear".
> If your connectivity disappears, so does the ISAKMP SA.

You can say that as much as you want, but this case has been trouble for
all OpenSWAN's I've tried. I lost most interest in it a year ago though,
since the company I work for is getting rid of most road warrior VPN's,
and the rest will be going proprietary.

1) Have a road warrior with >1 tunnels running
2) Lose connectivity
3) DPD discovers it and eventually recovers ISAKMP SA
4) One or some of the IPSEC SA don't come back up. Traffic from the VPN
server doesn't get the IPSEC SA's up. Traffic from the road warrior does
(well, except when it doesn't), but that doesn't help our use-case much.

> It works if neither or one end is a roadwarrior. If both are a roadwarrior,
> you're asking for trouble, and should invest in a static ip for one side,
> or deploy a hub-spoke architecture.

Double-roadwarrior naturally doesn't have a chance, and I've never tried
doing it.

> Doing your own kind of "pings" to restart a tunnel, especially on roadwarriors
> which can easilly saturate their limited uplink is likely to do more harm then
> good.

It works, which is an advantage. DPD, at least in my use case, doesn't.

All OpenSWAN's involved are 2.4.x, because a bug prevented 2.6.x from
working for our use case a year ago. That bug is likely fixed now, but
in a few months OpenSWAN will be gone, so a major version upgrade isn't
in the cards.

Incidentally, it isn't this DPD issue which is prompting the switch, it
is simply the lack of a decent cheap Linux platform. OpenWRT is just not
good enough, and having to put an actual PC with a more standard Linux
distribution at each site is unattractive.

Doing manual pings works just fine until bugs in OpenWRT run the box out
of memory, and in-field upgrades of OpenWRT are impossible.


/Benny

More information about the Users mailing list