[Openswan Users] Connection takes long time

Richard K. Szabo richard.szabo at netsunited.com
Fri Mar 19 08:15:01 EDT 2010 

Dear list

We have a setup of one Road Warrior (several 3G connections) and a 
server (100/100Mbit), running:

server: Linux Openswan U2.6.24/K2.6.31.12-ipsec-rks-march-3 (netkey)
client: Linux Openswan U2.6.24/K2.6.27.7-9-pae (netkey)

The issue is that whenever the client switch 3G-connection, from g0 to 
g1, the entire ipsec service needs to be restarted and defined 
connection brought up.

# time /etc/init.d/ipsec restart
= real	0m2.655s
= user	0m0.844s
= sys	0m0.688s

# time ipsec auto --up road-gw
= real	0m3.581s
= user	0m0.068s
= sys	0m0.052s

== 6.236 s

The default route is g0, but may change to g1 or g2.

Connection details:
SERVER

version 2.0
config setup

         nat_traversal=yes
         klipsdebug=none
         plutodebug=none
         virtual_private=%v4:9.9.0.0/24
         oe=off
         protostack=netkey

conn %default
         left=XXX
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         authby=rsasig

conn road-gw
         type=tunnel
         left=XXX
         leftid=@momento
         leftsubnet=9.9.0.0/24
      leftrsasigkey=0sAQPE+....BQzFPxCsc9BH43UmXFDv//
         right=%any
         rightid=@someid
         rightrsasigkey=0sAQO...D/FEYsJyIwbxzOz2hdU2gN
         auto=add




CLIENT
version 2.0
config setup

         nat_traversal=yes
         klipsdebug=none
         plutodebug=none
         virtual_private=%v4:192.168.2.0/24,%v4:9.9.0.0/24
         oe=off
         # which IPsec stack to use. netkey,klips,mast,auto or none
         protostack=netkey

conn %default
         left=%defaultroute
         leftrsasigkey=%cert
         rightrsasigkey=%cert
         authby=rsasig

conn road-gw
         type=tunnel
         left=%defaultroute
         leftid=@someid
 
leftrsasigkey=0sAQOSa.../T99n4iQ6x3Ug0oyckuqwuD/FEYsJyIwbxzOz2hdU2gN
         right=XXX
         rightsubnet=9.9.0.0/24
         rightid=@momento
 
rightrsasigkey=0sAQP...jm7s0BunctlJp7kSzG/XmbbSBQzFPxCsc9BH43UmXFDv//
         auto=add


I have tried to re-route by switching g0 to g1 and then
# ipsec auto --up road-gw
but it wiĺl freeze on

104 "road-gw" #3: STATE_MAIN_I1: initiate
010 "road-gw" #3: STATE_MAIN_I1: retransmission; will wait 20s for response


The log in /var/log/warn says nothing more than "Mar 19 12:58:47 m300 
pluto[28368]: "road-gw" #3: initiating Main Mode"

An idea I had was to utilize the dummy interface ifb0 and have Ipsec 
bind to that device, then route all traffic to/from ifb0 out on g0's IP 
address ( cause adding g0/g1 etc to the routing-table would get me back 
to the first problem ). Anyway, I didn't solve that.

I guess my question is, if I can reduce the time it takes to 
re-establish a connection to the Ipsec server when the Road Warrior has 
switched default interface.

Thank you



best regards,
RKS

More information about the Users mailing list