[Openswan Users] Two tunnels between the same hosts; one works, the other works sometimes

Greg Scott GregScott at Infrasupport.com
Thu Jun 10 01:17:28 EDT 2010 

Here we go again....

 

I have two sites named HQ and colo.  HQ is on the right, colo is on the
left.  The HQ site has two LANS; 175.10.0.0/16 and 175.7.0.0/16.   The
colo site also has two LANS, 175.8.0.0/16 and 175.9.0.0/16.  To simplify
the tunnel setup, I supernetted the colo site, so now it's 175.8.0.0/15.


 

So by my count, I need 2 tunnels:

 

Colo-hqmain

Colo-hqmirror

 

Colo-hqmain generally comes up and works reliably.  Colo-hqmirror has
problems.  Sometimes both tunnels will come up, other times one or the
other works.  Sometimes after 10-15 minutes, they will both come up with
each other.  

 

I tested all this in a simulated environment and naturally it worked
well here.  Of course, now it's flakey in production.  The HQ site is
using Openswan 2.6.25 with Fedora 12.  The colo site is older and uses
Openswan 2.4.4 with Fedora Core 5.  

 

Why two tunnels to the same sites?  Well, some Storagetek devices that
mirror each other need NICs in different subnets.

 

Here are some more bizarre symptoms.  All colo subnets can ping all HQ
subnets.  However, only some subnets from HQ can ping some colo subnets,
and this seems to change with the passage of time.  For example, a few
minutes ago, the 175.10 subnet could ping everything in the colo site.
But when the 175.7 subnet tried to ping anything in the colo site, the
pings returned "Operation not permitted".   Now 175.10 can ping 175.8
and 175.7 can ping 175.9.  But 175.7 cannot ping 175.8 and a 175.10
cannot ping 175.9.  That's from the HQ site.  When pings come from the
colo site, all pings work.  Try keeping that straight.  

 

One more complicating factor.  The HQ site has 2 nodes that act together
in an active/standby pair.  Both nodes have identical configurations
right down to the MAC Addresses on all the NICs.   I ran through several
failovers in my testing here and all worked fine.  I used the real HQ
nodes and a simulated Internet and simulated colo site.  But now in
production, this flakey behavior shows itself.  

 

I guess maybe I'll try to build an openswan-2.6.25 from the .tar file on
the colo site and maybe it will behave a little better.  Any other
thoughts?

 

Thanks

 

-          Greg Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100610/ac872afe/attachment-0001.html

More information about the Users mailing list