[Openswan Users] Left side does not detect disconnection
Erich Titl
erich.titl at think.ch
Mon Nov 21 09:27:09 EST 2011
at 21.11.2011 14:02, Kevin Keane (subscriptions) wrote:
>> -----Original Message-----
>> On Behalf Of Hansjörg Pfister
>>
>> Hello,
>> i have the following problem:
>> after a change in the ipsec config-files, vpn-tunnels will not establish any more.
>> Eg. when changing a PSK for one VPN all other VPN-tunnels will disconnect and
>> will not make any attempt to reconnect. More precisely:
>> One left side - several right sides. The left side has made the change and the
>> right (which should not be affected by the change) sides do not detect the
>> disconnect. The left sides assumes, that the connection is still alive.
>
> If I understand it correctly, IPSec doesn't have a mechanism to detect disconnections (probably because IP is connectionless to begin with, so the concept of "disconnection" is a poor fit). There are several other mechanisms.
>
> First, in this situation, left should simply initiate a new connection. For that to happen, first, you have to have the connection configured for auto=start, and second, obviously it only works if you have static IPs for all the rights. With a Roadwarrior setup, you are out of luck.
>
> Second, during the next rekeying, right would reestablish the connection.
>
> What I usually do in this situation is simply restart the ipsec daemon on the right sides. That solution doesn't scale well nor would it work with a fully-meshed topology, but it is good enough for me.
You can achieve the same by
responder side
ipsec auto --replace <connection_name>
initiator side
ipsec auto --replace <connnection_name>
ipsec auto --up <connection_name>
cheers
Erich
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2182 bytes
Desc: S/MIME Kryptografische Unterschrift
Url : http://lists.openswan.org/pipermail/users/attachments/20111121/80827fc4/attachment-0001.bin
More information about the Users
mailing list