[Openswan Users] remote disconnection causes local issues
richardgreen1965 at gmail.com
Mon Jun 7 03:44:05 EDT 2010
I have a Debian Linux 5.0 box running OpenSwan system, with two VPN
connections. One is to an OpenBSD box running ISAKMPD, and the other
connection is to another Linux box running a port of ISAKMPD. This mix isn't
my choice, but I don't think it's relevant to the issue, which is as
When either of the remote ISAKMPD boxes drop the connection to the box
running OpenSwan (a re-boot, for instance), after a few seconds...
Initializing XFRM netlink socket
...appears in the kernel log of the box running OpenSwan, and after that
point it is no longer possible to log in to that box running OpenSwan,
either via a ssh connection or via the console, and some services
become unavailable. No log additional errors are logged relating to the
problems with the other affected services.
If there was an existing terminal session to the OpenSwan box (obviously not
over one of the VPN links), that remains usable, and the I can recover by
killing (needs KILL, TERM is not enough) all pluto processes, the starting
ipsec connections again (on Debain, that's /etc/init.d/ipsec restart). If
there is not a terminal left open the only way I have found to regain access
is to reboot the system running OpenSwan.
Now I would expect it should be possible for the remote side of an IPSEC
connection to drop it's connection in any way - gracefully or not - without
impacting the ability to log in to the local system (no services critical to
authentication etc are accessed through the IPSec links).
Well I guess when the connection drops, OpenSwan responds by trying to do
something, and it must hang at this stage. For various reasons I'm having to
work on a live and critical system, so I'm looking to find out a bit more
with minimum disruption.
To start with, has anyone experience similar?
Also what debug options can you suggest for starters which won't cause havoc
on a live system which might be relevent to an issue such as this?
Here's my config (OpenSwan system is on the 'right'):
# basic configuration
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
# ONLY enable plutodebug=all or klipsdebug=all if you are a
# NAT-TRAVERSAL support, see README.NAT-Traversal
# enable this if you see "failed to find any available worker"
# Add connections here
# sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users