[Openswan Users] Routing Issue

Luis Nagaki luis.nagaki at gmail.com
Tue Jun 5 23:09:39 EDT 2012


the only error i get is this

vpnclient1" took too long -- replacing phase 1
vpnclient1" #14: initiating Main Mode to replace #12
vpnclient1" #14: ignoring informational payload, type
NO_PROPOSAL_CHOSEN msgid=00000000
vpnclient1" #14: received and ignored informational message

but still ping works in 1 direction. client to server only

On Tue, Jun 5, 2012 at 11:08 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> Well... got DPD=enabled now. i put those settings on both sides server
> and client and still.. routes get removed after a reboot or service
> reboot on client side. routes ONLY come back up if i restart the
> server service this sucks...
>
> On Tue, Jun 5, 2012 at 9:09 PM, David McCullough
> <david_mccullough at mcafee.com> wrote:
>>
>> Jivin Luis Nagaki lays it down ...
>>> i do get in the secure log DPD=NONE but i dont think that is the same
>>> as dpdaction right?
>>
>> That means DPD is not active IIRC.
>>
>>> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>> > i actually found a site that had a howto for an iphone setup. which is
>>> > not what i want but i followed it but still nothing works.
>>> >
>>> > i have in my vpnclient.conf on the client and server side..file
>>> > dpdaction=restart_by_peer b/c i have auto=start
>>
>>
>> Ok,  just in case I have missed something,  also add:
>>
>>        dpddelay = 15
>>        dpdtimeout = 30
>>
>> and see how that goes.
>>
>>> > when i reboot or restart the service on the client side, the routes
>>> > are gone. its not until i reboot the service on the server that the
>>> > routes come back =|.. im ALMOST there.. just need to fix this one
>>> > thing.
>>
>> Sounds like you need to get DPD enabled,  and for some reason it isn't.
>> Check the openswan logs for the SA established lines and see what is
>> negotiated,
>>
>> Cheers,,
>> Davidm
>>
>>
>>
>>> >
>>> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
>>> > <david_mccullough at mcafee.com> wrote:
>>> >> Jivin Luis Nagaki lays it down ...
>>> >>> How do i turn it on? Ive looked around for this option w no luck :/
>>> >>
>>> >> You need to set "dpdaction" to restart_by_peer for any end-points
>>> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
>>> >>
>>> >> The basic idea is that if the end point you are configuring knows the IP
>>> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
>>> >> you want clear.
>>> >>
>>> >> You can change the timesouts for DPD if you want but I would just go with
>>> >> the defaults for now, ??see here:
>>> >>
>>> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
>>> >>
>>> >> Look for dpddelay, dpdtimeout and dpdaction.
>>> >>
>>> >> Cheers,
>>> >> Davidm
>>> >>
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
>>> >>> <david_mccullough at mcafee.com> wrote:
>>> >>>
>>> >>> >
>>> >>> > Jivin Luis Nagaki lays it down ...
>>> >>> >> Ok everything is working..
>>> >>> >>
>>> >>> >> But.. final thing..
>>> >>> >>
>>> >>> >> IF i have the clients connected, and i reboot a client... once it
>>> >>> >> comes back online the tunnel is created, i can ping the VPN Server
>>> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
>>> >>> >> service. I dont want to do this everytime i lose a connection etc.
>>> >>> >
>>> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
>>> >>> > you,
>>> >>> >
>>> >>> > Cheers,
>>> >>> > Davidm
>>> >>> >
>>> >>> > --
>>> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>> >>>
>>> >>>
>>> >>
>>> >> --
>>> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>>
>>>
>>
>> --
>> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
>> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list