[Openswan Users] Losing VPN after ipsec restart

Thu Sep 1 14:03:18 EDT 2011

May try using commands such as:
ipsec auto --add newconnection
or
ipsec auto --replace previousconnection

That may keep you from having to restart all the connections.

Sorry it doesn't help with your original problem, but it may be a workaround.

Willie

-----Original Message-----
From: "Roman Serbski" <mefystofel at gmail.com>
Sent: Thursday, September 1, 2011 11:00am
To: users at openswan.org
Subject: [Openswan Users] Losing VPN after ipsec restart

Hi list,

Appreciate your advise with the following issue.

We have ~90 remote offices establishing IPSec tunnel with the server
in HQ (let's call it VPN master).

The VPN master is powered by Ubuntu 8.04.2 with Openswan
U2.4.9/K2.6.24-23-server installed from packages.

Here is the typical entry for the remote site in ipsec.conf:

conn L2TP-PSK-noNAT-remote-site-01
 authby=secret
 pfs=no
 auto=start
 keyingtries=3
 rekey=no
 type=tunnel
 left=public.ip.of.remote.side
 leftsubnet=192.168.100.0/24
 leftsourceip=192.168.100.1
 right=public.ip.of.vpn.master
 rightsubnet=10.0.0.0/8
 rightsourceip=private.ip.of.vpn.master

Remote sites are powered by Ubuntu 9.10 with Openswan
U2.6.22/K2.6.31-22-generic with the following ipsec.conf:

conn L2TP-PSK-noNAT-remote-site-01
 authby=secret
 pfs=no
 auto=start
 type=tunnel
 left=public.ip.of.remote.side
 leftsubnet=192.168.100.0/24
 leftsourceip=192.168.100.1
 right=public.ip.of.vpn.master
 rightsubnet=10.0.0.0/8
 rightsourceip=private.ip.of.vpn.master

Everything works fine with IPSec tunnel establishing alright, however
recently we started experiencing some issues.

When we modify ipsec.conf (to add a new entry) and restart ipsec on
VPN master, some offices are recovered instantly, for some offices it
takes an hour, but some are never recovered.

If I login to the remote site with IPSec tunnel down and restart ipsec
then the tunnel is established immediately.

I was trying to find a pattern but in vein.  Some offices with high
latency and packet loss are recovered immediately and offices with a
relatively good connection might never recover and vice verse. We also
monitor all sites by pinging them so I believe there is always some
traffic traversing the tunnel.

It's probably worth mentioning that we didn't experience this issue
before (with ~30 remote offices)... I guess with 90 sites we reached
some timeout limits.

Any hints would be greatly appreciated.

Thank you for your time.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110901/63a31ad9/attachment.html 