[Openswan Users] Dead Peer Detection restart causes tunnel to be established, but afterwards cannot ping from either side

Wed Oct 5 09:46:34 EDT 2011

Hi Tuomo,

Thanks so much for the quick response. Seems like getting the Ubuntu
maintainers to make a new package available will take some time, but I
may pursue that.

For now, I've stumbled upon the Ubuntu .deb packages on the OpenSwan
FTP site. Going to give what looks to be the 64-bit release of 2.6.33
a try.

ftp://ftp.openswan.org/openswan/binaries/ubuntu/openswan_2.6.33+ocf-1xelerance_amd64.deb

At least this way, I believe I should be able to tweak my
apt-preferences such that if a newer package is eventually made
available on the repository, it will be upgraded for me during apt-get
upgrade.

Given the apparent large lag between the repository version and the
current latest release, I would say that if I ever wanted to upgrade
past 2.6.33, I'd probably end up having to do it myself anyway. So I
see this solution as a good compromise.

Thanks! I'm hopeful this solves the funky behaviour I've been seeing.

On Wed, Oct 5, 2011 at 12:25 AM, Tuomo Soini <tis at foobar.fi> wrote:
> On Wed, 5 Oct 2011 00:10:18 +1100
> Geekman <the1geekman at gmail.com> wrote:
>
>> Hi All,
>>
>> I should add that, long story short, I had originally started using
>> dpdaction=restart as I thought I needed it in order to get DPD to try
>> and reconnect the tunnel after a drop out. Little did I know then, DPD
>> actually wasn't being enabled at all. I ended up reading the DPD
>> readme and say that the default "hold" is recommended for static
>> tunnels.
>>
>> I switched back to "hold" and DPD seems to much more reliably bring
>> back a working tunnel after a dead peer is detected. I have on
>> occassion still had to forcibly --replace on a tunnel to get it to
>> stop timing out, but its many times better than it was. I would say
>> I've gone from less than 10% success rate to about 90% in most test
>> cases.
>>
>> I did notice that if I do an /etc/init.d/ipsec restart, that the
>> tunnels come back, but _always_ display the issue described
>> previously, where neither side can ping even though the tunnel is up.
>> This continues still I do a --replace on each tunnel.
>>
>> Although it kind of bugs me, not a huge issue. I can't tell if this is
>> an entirely separate issue to what I was facing with DPD previously,
>> but the symptoms seem the same.
>
> Your openswan version is too old for that to work reliably. Upgrade to
> latest version. 2.6.29 is the minimun version for on-demand tunneling
> to work reliably but after that there are other related fixes.
>
> If this is package from your distro, please contact maintainer and
> request package upgrade.
>
> --
> Tuomo Soini <tis at foobar.fi>
> Foobar Linux services
> +358 40 5240030
> Foobar Oy <http://foobar.fi/>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>