[Openswan Users] Openswan ipsec tunnel reestablishment

Vasanth Ragavendran ragavendra.2007 at gmail.com
Wed Jul 6 22:01:25 EDT 2011


Thank you so much for responding! Found it out! I've another doubt!
I'm using bridge(brctl) and an l2tp tunnel on top of it! The bridge has two
interfaces one being the l2tp tunnel interface and the other being the
ethernet interface which is connected to PC. Hence when the IPSec restarts
after the keylife, the l2tp tunnel also has to be deleted and then restarted
again so as to have the end PC's up. The scenario is in the attached file.
Hence when the IPSec is about to end i check the expiry time of the old
IPSec using time left in STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_EXPIRE in ipsec auto --status. So when the expiry time reaches 0 i
reestablish the l2tp tunnel, however at times the IPSec tunnel says
"ignoring Delete SA payload: PROTO_IPSEC_ESP SA() not found(may be expired)
instead of "received Delete SA() payload"
How do I identify when to exactly restart the l2tp tunnel so that the link
will always be up! Hope i was clear in explaining my situation. Plz help!

On Wed, Jul 6, 2011 at 10:35 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Wed, 6 Jul 2011, Vasanth Ragavendran wrote:
>
>  I am using openswan 2.6.29 with the kernel being 2.6.35.9. I've set the
>> keylife and ikelifetime to default values and rekey to yes. So when the
>> IPSec re-establishes the tunnel
>> after the keylife period expires is there any way to check if the IPSec
>> tunnel is up after the keylife expiry. What i mean to say is there any way
>> to indicate a difference
>> between the tunnel which was existing during the previous keylife period
>> and the current keylife period! Is there any variable which will indicate
>> this difference or does it
>> show up in "ipsec auto --status" command. Hope i made it clear. Awaiting
>> response. Plz help!
>>
>
> Yes, the instance number (the number with the #) will have changed. The SPI
> will also have changed if
> the phase2 rekeyed, which can be seen in "ipsec eroute" (klips) or "ip xfrm
> state" (netkey)
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110707/822f90bd/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: scenario.JPG
Type: image/jpeg
Size: 27230 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20110707/822f90bd/attachment-0001.jpe 


More information about the Users mailing list