[Openswan Users] Tunnel hangs
Paul Wouters
paul at xelerance.com
Mon Nov 14 13:33:07 EST 2011
On Mon, 14 Nov 2011, Greg Scott wrote:
> OK . . . Now to work the original problem first posted on 11/2. That tunnel has gone offline at least twice that I know of since then. Plus I have other tunnels running various versions that continue to go offline and the only cure seems to be stop and restart Openswan.
We probably need to see some more logging of such a failure with logs from both ends.
> rightupdown=/etc/ipsec.d/hq-updown.sh
> The updown script is just a little hack I use to shorten the MTU and make my default source IP the LAN side.
>
> [root at Superior-fw ipsec.d]# more superior-updown.sh
> #!/bin/sh
>
> LOCALNET=172.21.5.0/24
>
> /usr/local/lib/ipsec/_updown $*
> if [ "$PLUTO_VERB" = "route-host" -o "$PLUTO_VERB" = "route-client" ]; then
> for dir in in out; do
> ip xfrm policy update dir $dir src $LOCALNET dst $LOCALNET
> done
> fi
>
> /sbin/ip route change 192.168.0.0/16 dev em1 src 172.21.5.100 mtu 1400
Note that we have an mtu= and leftsourceip= option for that. I recommend using that as there is more logic
in the updown scripts you are bypassing now, as you did use the stock updown script as a base for your
own version.
Also note that if your central node is the older openswan, it might not matter what the leaves run for you
to experience old bugs. Please try and replicate this on two modern openswan releases.
You might also want to consider enabling DPD, so there is a better detection that a tunnel is down. Perhaps
that will bring to light why things are failing?
Paul
More information about the Users
mailing list