[Openswan Users] Left side does not detect disconnection

[Kevin Keane (subscriptions)]

> -----Original Message-----
> On Behalf Of Hansjörg Pfister
> 
> Hello,
> i have the following problem:
> after a change in the ipsec config-files, vpn-tunnels will not establish any more.
> Eg. when changing a PSK for one VPN all other VPN-tunnels will disconnect and
> will not make any attempt to reconnect. More precisely:
> One left side - several right sides. The left side has made the change and the
> right (which should not be affected by the change) sides do not detect the
> disconnect. The left sides assumes, that the connection is still alive.

If I understand it correctly, IPSec doesn't have a mechanism to detect disconnections (probably because IP is connectionless to begin with, so the concept of "disconnection" is a poor fit). There are several other mechanisms.

First, in this situation, left should simply initiate a new connection. For that to happen, first, you have to have the connection configured for auto=start, and second, obviously it only works if you have static IPs for all the rights. With a Roadwarrior setup, you are out of luck.

Second, during the next rekeying, right would reestablish the connection.

What I usually do in this situation is simply restart the ipsec daemon on the right sides. That solution doesn't scale well nor would it work with a fully-meshed topology, but it is good enough for me.