[Openswan Users] Routing Issue

Luis Nagaki luis.nagaki at gmail.com
Tue Jun 5 23:08:07 EDT 2012


Well... got DPD=enabled now. i put those settings on both sides server
and client and still.. routes get removed after a reboot or service
reboot on client side. routes ONLY come back up if i restart the
server service this sucks...

On Tue, Jun 5, 2012 at 9:09 PM, David McCullough
<david_mccullough at mcafee.com> wrote:
>
> Jivin Luis Nagaki lays it down ...
>> i do get in the secure log DPD=NONE but i dont think that is the same
>> as dpdaction right?
>
> That means DPD is not active IIRC.
>
>> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>> > i actually found a site that had a howto for an iphone setup. which is
>> > not what i want but i followed it but still nothing works.
>> >
>> > i have in my vpnclient.conf on the client and server side..file
>> > dpdaction=restart_by_peer b/c i have auto=start
>
>
> Ok,  just in case I have missed something,  also add:
>
>        dpddelay = 15
>        dpdtimeout = 30
>
> and see how that goes.
>
>> > when i reboot or restart the service on the client side, the routes
>> > are gone. its not until i reboot the service on the server that the
>> > routes come back =|.. im ALMOST there.. just need to fix this one
>> > thing.
>
> Sounds like you need to get DPD enabled,  and for some reason it isn't.
> Check the openswan logs for the SA established lines and see what is
> negotiated,
>
> Cheers,,
> Davidm
>
>
>
>> >
>> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
>> > <david_mccullough at mcafee.com> wrote:
>> >> Jivin Luis Nagaki lays it down ...
>> >>> How do i turn it on? Ive looked around for this option w no luck :/
>> >>
>> >> You need to set "dpdaction" to restart_by_peer for any end-points
>> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
>> >>
>> >> The basic idea is that if the end point you are configuring knows the IP
>> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
>> >> you want clear.
>> >>
>> >> You can change the timesouts for DPD if you want but I would just go with
>> >> the defaults for now, ??see here:
>> >>
>> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
>> >>
>> >> Look for dpddelay, dpdtimeout and dpdaction.
>> >>
>> >> Cheers,
>> >> Davidm
>> >>
>> >>>
>> >>>
>> >>>
>> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
>> >>> <david_mccullough at mcafee.com> wrote:
>> >>>
>> >>> >
>> >>> > Jivin Luis Nagaki lays it down ...
>> >>> >> Ok everything is working..
>> >>> >>
>> >>> >> But.. final thing..
>> >>> >>
>> >>> >> IF i have the clients connected, and i reboot a client... once it
>> >>> >> comes back online the tunnel is created, i can ping the VPN Server
>> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
>> >>> >> service. I dont want to do this everytime i lose a connection etc.
>> >>> >
>> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
>> >>> > you,
>> >>> >
>> >>> > Cheers,
>> >>> > Davidm
>> >>> >
>> >>> > --
>> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>> >>>
>> >>>
>> >>
>> >> --
>> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>
>>
>
> --
> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list