[Openswan Users] Openswan ipsec tunnel reestablishment

Paul Wouters paul at xelerance.com
Thu Jul 7 10:18:02 EDT 2011


On Thu, 7 Jul 2011, Vasanth Ragavendran wrote:

> Thank you so much for responding! Found it out!

ok.

> I've another doubt!I'm using bridge(brctl) and an l2tp tunnel on top of it! The bridge has two interfaces one being the l2tp
> tunnel interface and the other being the ethernet interface which is connected to PC. Hence when the IPSec restarts after the keylife, the l2tp tunnel also has to be deleted
> and then restarted again so as to have the end PC's up. The scenario is in the attached file. Hence when the IPSec is about to end i check the expiry time of the old IPSec
> using time left in STATE_QUICK_R2 (IPsec SA established); EVENT_SA_EXPIRE in ipsec auto --status. So when the expiry time reaches 0 i reestablish the l2tp tunnel, however at
> times the IPSec tunnel says

That does not make much sense to me. The l2tp has no separate interface, it starts a pppX interface. You should not need to
bridge it.

When the phase1 is about to expire, your ipsec client should rekey and the phase1 should not go down.

When the phase2 is about the expire, your ipsec client should rekey the IPsec SA and the phase2 will change
but not go down.

It seems you are trying to fix something that needs no fixing.

> "ignoring Delete SA payload: PROTO_IPSEC_ESP SA() not found(may be expired) instead of "received Delete SA() payload"

As the error says, you are trying to delete something that's already no longer there. So it likely got deleted or rekeyed
just before receiving this message.

> How do I identify when to exactly restart the l2tp tunnel so that the link will always be up! Hope i was clear in explaining my situation. Plz help!

The l2tp tunnel should stay up even if the ipsec tunnel phase1/phase2 rekeys. No manual intervention should be
needed.

Note the client side should rekey, the server end should have rekey=no (as dynamic clients can appear anywhere, not neccessarilly
on the same ip as before)

Paul


More information about the Users mailing list