[Openswan Users] Routing Issue
Luis Nagaki
luis.nagaki at gmail.com
Wed Jun 6 20:13:06 EDT 2012
Does anyone have any thoughts? Routes are lost on server side. if
client side restarts service or reboots.
On Tue, Jun 5, 2012 at 11:09 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> the only error i get is this
>
> vpnclient1" took too long -- replacing phase 1
> vpnclient1" #14: initiating Main Mode to replace #12
> vpnclient1" #14: ignoring informational payload, type
> NO_PROPOSAL_CHOSEN msgid=00000000
> vpnclient1" #14: received and ignored informational message
>
> but still ping works in 1 direction. client to server only
>
> On Tue, Jun 5, 2012 at 11:08 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>> Well... got DPD=enabled now. i put those settings on both sides server
>> and client and still.. routes get removed after a reboot or service
>> reboot on client side. routes ONLY come back up if i restart the
>> server service this sucks...
>>
>> On Tue, Jun 5, 2012 at 9:09 PM, David McCullough
>> <david_mccullough at mcafee.com> wrote:
>>>
>>> Jivin Luis Nagaki lays it down ...
>>>> i do get in the secure log DPD=NONE but i dont think that is the same
>>>> as dpdaction right?
>>>
>>> That means DPD is not active IIRC.
>>>
>>>> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>>> > i actually found a site that had a howto for an iphone setup. which is
>>>> > not what i want but i followed it but still nothing works.
>>>> >
>>>> > i have in my vpnclient.conf on the client and server side..file
>>>> > dpdaction=restart_by_peer b/c i have auto=start
>>>
>>>
>>> Ok, just in case I have missed something, also add:
>>>
>>> dpddelay = 15
>>> dpdtimeout = 30
>>>
>>> and see how that goes.
>>>
>>>> > when i reboot or restart the service on the client side, the routes
>>>> > are gone. its not until i reboot the service on the server that the
>>>> > routes come back =|.. im ALMOST there.. just need to fix this one
>>>> > thing.
>>>
>>> Sounds like you need to get DPD enabled, and for some reason it isn't.
>>> Check the openswan logs for the SA established lines and see what is
>>> negotiated,
>>>
>>> Cheers,,
>>> Davidm
>>>
>>>
>>>
>>>> >
>>>> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
>>>> > <david_mccullough at mcafee.com> wrote:
>>>> >> Jivin Luis Nagaki lays it down ...
>>>> >>> How do i turn it on? Ive looked around for this option w no luck :/
>>>> >>
>>>> >> You need to set "dpdaction" to restart_by_peer for any end-points
>>>> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
>>>> >>
>>>> >> The basic idea is that if the end point you are configuring knows the IP
>>>> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
>>>> >> you want clear.
>>>> >>
>>>> >> You can change the timesouts for DPD if you want but I would just go with
>>>> >> the defaults for now, ??see here:
>>>> >>
>>>> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
>>>> >>
>>>> >> Look for dpddelay, dpdtimeout and dpdaction.
>>>> >>
>>>> >> Cheers,
>>>> >> Davidm
>>>> >>
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
>>>> >>> <david_mccullough at mcafee.com> wrote:
>>>> >>>
>>>> >>> >
>>>> >>> > Jivin Luis Nagaki lays it down ...
>>>> >>> >> Ok everything is working..
>>>> >>> >>
>>>> >>> >> But.. final thing..
>>>> >>> >>
>>>> >>> >> IF i have the clients connected, and i reboot a client... once it
>>>> >>> >> comes back online the tunnel is created, i can ping the VPN Server
>>>> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
>>>> >>> >> service. I dont want to do this everytime i lose a connection etc.
>>>> >>> >
>>>> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
>>>> >>> > you,
>>>> >>> >
>>>> >>> > Cheers,
>>>> >>> > Davidm
>>>> >>> >
>>>> >>> > --
>>>> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>>> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>>> >>>
>>>> >>>
>>>> >>
>>>> >> --
>>>> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>>> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>>>
>>>>
>>>
>>> --
>>> David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
>>> McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Users
mailing list