[Openswan Users] Losing VPN after ipsec restart

Paul Wouters paul at xelerance.com
Thu Sep 1 16:41:18 EDT 2011

On Thu, 1 Sep 2011, Roman Serbski wrote:

> The VPN master is powered by Ubuntu 8.04.2 with Openswan
> U2.4.9/K2.6.24-23-server installed from packages.

I'm not sure if that's 2.4.9 with backported fixes to 2.4.12. If not,
you have a security problem (some DoS issues, so limited impact)

>        pfs=no

There is no reason for pfs=no between openswan instances. I think
you copied from the "l2tp" examples, which assume Windows support
is needed that does (did?) not do Perfect Forwad Secrecy. I'd set
this to yes everywhere.

>        auto=start
>        keyingtries=3
>        rekey=no

Generally, you have "auto=add" with "rekey=no", and "auto=start"
with "rekey=yes". When clients come in on dynamic ips, you tend
to use rekey=no on the server. If all your offices have static ips
you should have rekey=yes and auto=start on both ends.

> When we modify ipsec.conf (to add a new entry) and restart ipsec on
> VPN master, some offices are recovered instantly, for some offices it
> takes an hour, but some are never recovered.

Use ipsec auto --add newentry and ipsec auto --up newentry to leave
current state and just add the new connection without doing a full


More information about the Users mailing list