[Openswan Users] Dead Peer Detection restart causes tunnel to be established, but afterwards cannot ping from either side

[Tuomo Soini]

On Wed, 5 Oct 2011 00:10:18 +1100
Geekman <the1geekman at gmail.com> wrote:

> Hi All,
> 
> I should add that, long story short, I had originally started using
> dpdaction=restart as I thought I needed it in order to get DPD to try
> and reconnect the tunnel after a drop out. Little did I know then, DPD
> actually wasn't being enabled at all. I ended up reading the DPD
> readme and say that the default "hold" is recommended for static
> tunnels.
> 
> I switched back to "hold" and DPD seems to much more reliably bring
> back a working tunnel after a dead peer is detected. I have on
> occassion still had to forcibly --replace on a tunnel to get it to
> stop timing out, but its many times better than it was. I would say
> I've gone from less than 10% success rate to about 90% in most test
> cases.
> 
> I did notice that if I do an /etc/init.d/ipsec restart, that the
> tunnels come back, but _always_ display the issue described
> previously, where neither side can ping even though the tunnel is up.
> This continues still I do a --replace on each tunnel.
> 
> Although it kind of bugs me, not a huge issue. I can't tell if this is
> an entirely separate issue to what I was facing with DPD previously,
> but the symptoms seem the same.

Your openswan version is too old for that to work reliably. Upgrade to
latest version. 2.6.29 is the minimun version for on-demand tunneling
to work reliably but after that there are other related fixes.

If this is package from your distro, please contact maintainer and
request package upgrade.

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>