[Openswan Users] Losing VPN after ipsec restart
paul at xelerance.com
Thu Sep 1 16:41:18 EDT 2011
On Thu, 1 Sep 2011, Roman Serbski wrote:
> The VPN master is powered by Ubuntu 8.04.2 with Openswan
> U2.4.9/K2.6.24-23-server installed from packages.
I'm not sure if that's 2.4.9 with backported fixes to 2.4.12. If not,
you have a security problem (some DoS issues, so limited impact)
There is no reason for pfs=no between openswan instances. I think
you copied from the "l2tp" examples, which assume Windows support
is needed that does (did?) not do Perfect Forwad Secrecy. I'd set
this to yes everywhere.
Generally, you have "auto=add" with "rekey=no", and "auto=start"
with "rekey=yes". When clients come in on dynamic ips, you tend
to use rekey=no on the server. If all your offices have static ips
you should have rekey=yes and auto=start on both ends.
> When we modify ipsec.conf (to add a new entry) and restart ipsec on
> VPN master, some offices are recovered instantly, for some offices it
> takes an hour, but some are never recovered.
Use ipsec auto --add newentry and ipsec auto --up newentry to leave
current state and just add the new connection without doing a full
More information about the Users