[Openswan Users] Unstable behavior with 2 tunnels connecting the same sites
Paul Wouters
paul at xelerance.com
Wed Jul 14 12:10:42 EDT 2010
On Wed, 14 Jul 2010, Greg Scott wrote:
> Something unhealthy is going on with configs that have multiple tunnels connecting the same sites.
> Every once-in-a-while, one or more of these tunnels decides to go out to lunch. This is usually when there’s a telcom interruption. IPSEC is
> supposed to hook both sites back up after the telecom comes back online, but this doesn’t always work here. The only solution is to manually
> restart ipsec on one side or the other.
> When the problem is happening, I see lots of messages coming into /var/log/secure. Here is a sample:
> Jul 14 08:00:00 localhost pluto[23465]: initiate on demand from 175.10.0.1:8 to 175.9.1.35:0 proto=1 state: fos_start be
This is the netkey bug I posted about to dev at openswan.org yesterday. This bug appeared when David applied
some KLIPS rekey patches a month ago :(
We have not been able to address it. It is related to NETKEY sending an endless stream of %acquire messages.
The quick fix is to use KLIPS. If you don't need NAT-T, which it seems you don't, it should be a relatively
straightforward compile.
export KERNELSRC=/usr/src/kernels/linux-2.6.xxxx/
make module module_install
and set protostack=klips in ipsec.conf
Paul
More information about the Users
mailing list