[Openswan Users] Losing VPN after ipsec restart
Paul Wouters
paul at xelerance.com
Thu Sep 1 16:41:18 EDT 2011
On Thu, 1 Sep 2011, Roman Serbski wrote:
> The VPN master is powered by Ubuntu 8.04.2 with Openswan
> U2.4.9/K2.6.24-23-server installed from packages.
I'm not sure if that's 2.4.9 with backported fixes to 2.4.12. If not,
you have a security problem (some DoS issues, so limited impact)
> pfs=no
There is no reason for pfs=no between openswan instances. I think
you copied from the "l2tp" examples, which assume Windows support
is needed that does (did?) not do Perfect Forwad Secrecy. I'd set
this to yes everywhere.
> auto=start
> keyingtries=3
> rekey=no
Generally, you have "auto=add" with "rekey=no", and "auto=start"
with "rekey=yes". When clients come in on dynamic ips, you tend
to use rekey=no on the server. If all your offices have static ips
you should have rekey=yes and auto=start on both ends.
> When we modify ipsec.conf (to add a new entry) and restart ipsec on
> VPN master, some offices are recovered instantly, for some offices it
> takes an hour, but some are never recovered.
Use ipsec auto --add newentry and ipsec auto --up newentry to leave
current state and just add the new connection without doing a full
restart.
Paul
More information about the Users
mailing list