[Openswan Users] Hi a problem about disconnection

Spacelee fjctlzy at gmail.com
Tue Dec 28 02:21:44 EST 2010


update to openswan 2.6.32
I found that if the client doesn't send the disconnect signal, openswan
won't stop that ppp correctly.
I add a line in /etc/ppp/ip-down to echo a line to /tmp/ip-down.log, and
normal exit from the client will echo that line to the ip-down.log file,
which means when openswan stop that connection, it will call ppp to stop,
and then ppp call /etc/ppp/ip-down script, which will echo the line I set.
But if I exit the client just unplug the etherent, the server won't know if
the client exists. after several seconds, openswan will kill ppp0(used by my
client), but won't call ppp, so there is no line written to
/tmp/ip-down.log, which leads to no knowledge in the freeradius...


On Tue, Dec 28, 2010 at 2:16 PM, Spacelee <fjctlzy at gmail.com> wrote:

>
>
> On Tue, Dec 28, 2010 at 12:01 PM, Spacelee <fjctlzy at gmail.com> wrote:
>
>> Sorry, I think I should reply at the bottom...
>>
>> On Tue, Dec 28, 2010 at 10:47 AM, Paul Wouters <paul at xelerance.com>wrote:
>>
>>> On Tue, 28 Dec 2010, Spacelee wrote:
>>>
>>>  This is my version, should I use the newest one?
>>>>
>>>> ipsec --version
>>>> Linux Openswan U2.6.24rc5/K2.6.26-2-xen-amd64 (netkey)
>>>>
>>>
>>> That's an "rc", a "release candidate". Yes you should upgrade to the
>>> latest
>>> full release, 2.6.32.
>>>
>>>
>>
>> I already download the newest tar.gz, and make programs install , but I
>> couldn't connect from the client this time, no response from the server
>> seems(not the iptable problem)
>> xl2tp : 1.25
>> centos 5.3
>> xen virtual machine
>>
>> it's working when I use the openswan 2.6.24 rpm
>>
>>
>> this is the results
>>
>> ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                              [OK]
>> Linux Openswan U2.6.32/K2.6.26-2-xen-amd64 (netkey)
>> Checking for IPsec support in kernel                         [OK]
>>  SAref kernel support                                        [N/A]
>>  NETKEY:  Testing for disabled ICMP send_redirects           [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects  [OK]
>> Checking that pluto is running                               [OK]
>>  Pluto listening for IKE on udp 500                          [OK]
>>  Pluto listening for NAT-T on udp 4500                       [OK]
>> Checking for 'ip' command                                    [OK]
>> Checking /bin/sh is not /bin/dash                            [OK]
>> Checking for 'iptables' command                              [OK]
>> Opportunistic Encryption Support                             [DISABLED]
>>
>>
>> ipsec.conf
>> version 2.0     # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>>         # Debug-logging controls:  "none" for (almost) none, "all" for
>> lots.
>>         # klipsdebug=none
>>         # plutodebug="control parsing"
>>         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>>         protostack=netkey
>>         nat_traversal=yes
>>         virtual_private=%v4:
>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>>         oe=off
>>         # Enable this if you see "failed to find any available worker"
>>         nhelpers=0
>>
>> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
>> uncomment this.
>> include /etc/ipsec.d/*.conf
>>
>>
>> conn L2TP-PSK-NAT
>>         overlapip=yes
>>         rightsubnet=vhost:%priv
>>         also=L2TP-PSK-noNAT
>>
>> conn L2TP-PSK-noNAT
>>         authby=secret
>>         pfs=no
>>         auto=add
>> #       keyingtries=3
>>         rekey=no
>>         ikelifetime=8h
>>         keylife=1h
>>         type=transport
>>         left=my server ip
>>         leftprotoport=17/1701
>>         right=%any
>>         rightprotoport=17/%any
>>         dpddelay=20
>>         dpdtimeout=60
>>         dpdaction=clear
>>
>>
>>
>>
>
>
>
> I make it work now, the problem is there is no newline at the end of the
> configuration.
> but it seems the parameters below still don't work when I unplug the
> ethernet. The server won't tell the radius that the client is no longer
> there.
>
>         dpddelay=20
>         dpdtimeout=60
>         dpdaction=clear
>
>
>>  Paul
>>>
>>
>>
>>
>> --
>> *Space Lee*
>>
>>
>
>
> --
> *Space Lee*
>
>


-- 
*Space Lee*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101228/22bbf924/attachment.html 


More information about the Users mailing list