[Openswan Users] Openswan issue of not able to ping each other once connection is brought down...

[Paul Wouters]

On Tue, 23 Nov 2010, Somashekar S V (svs) wrote:

> I have a successful PSK IPSEC connection between two linux boxes. When I bring down the connection using
> “ipsec auto –down conn-name” on one box, I see that SAs get deleted. However after this I am not able to ping between
> two machines i.e. ping fails. However I am able to ping each other when I delete the connection using “ipsec auto –delete
> conn-name”

--down brings down the connection, but puts a hold in place for packets until the connection
comes back up. --delete removes the entire connection, including the hold.

> I guess some rules are still active and is preventing the reachability. Is this a known issue?

This is not a bug but a feature to avoid packet leakage when the SA goes down.

This behaviour can be tuned using the failureshunt= option.

Paul