[Openswan Users] Routing Issue

David McCullough david_mccullough at mcafee.com
Fri Jun 8 00:20:33 EDT 2012


Jivin Luis Nagaki lays it down ...
> Does anyone have any thoughts? Routes are lost on server side.  if
> client side restarts service or reboots.

Sorry,  got tied up.  I don't have anything to add here.
Check through the logs and check what routes you do have,  perhaps there is
a routing conflict.

Cheers,
Davidm

> On Tue, Jun 5, 2012 at 11:09 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> > the only error i get is this
> >
> > vpnclient1" took too long -- replacing phase 1
> > vpnclient1" #14: initiating Main Mode to replace #12
> > vpnclient1" #14: ignoring informational payload, type
> > NO_PROPOSAL_CHOSEN msgid=00000000
> > vpnclient1" #14: received and ignored informational message
> >
> > but still ping works in 1 direction. client to server only
> >
> > On Tue, Jun 5, 2012 at 11:08 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> >> Well... got DPD=enabled now. i put those settings on both sides server
> >> and client and still.. routes get removed after a reboot or service
> >> reboot on client side. routes ONLY come back up if i restart the
> >> server service this sucks...
> >>
> >> On Tue, Jun 5, 2012 at 9:09 PM, David McCullough
> >> <david_mccullough at mcafee.com> wrote:
> >>>
> >>> Jivin Luis Nagaki lays it down ...
> >>>> i do get in the secure log DPD=NONE but i dont think that is the same
> >>>> as dpdaction right?
> >>>
> >>> That means DPD is not active IIRC.
> >>>
> >>>> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> >>>> > i actually found a site that had a howto for an iphone setup. which is
> >>>> > not what i want but i followed it but still nothing works.
> >>>> >
> >>>> > i have in my vpnclient.conf on the client and server side..file
> >>>> > dpdaction=restart_by_peer b/c i have auto=start
> >>>
> >>>
> >>> Ok, ??just in case I have missed something, ??also add:
> >>>
> >>> ?? ?? ?? ??dpddelay = 15
> >>> ?? ?? ?? ??dpdtimeout = 30
> >>>
> >>> and see how that goes.
> >>>
> >>>> > when i reboot or restart the service on the client side, the routes
> >>>> > are gone. its not until i reboot the service on the server that the
> >>>> > routes come back =|.. im ALMOST there.. just need to fix this one
> >>>> > thing.
> >>>
> >>> Sounds like you need to get DPD enabled, ??and for some reason it isn't.
> >>> Check the openswan logs for the SA established lines and see what is
> >>> negotiated,
> >>>
> >>> Cheers,,
> >>> Davidm
> >>>
> >>>
> >>>
> >>>> >
> >>>> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
> >>>> > <david_mccullough at mcafee.com> wrote:
> >>>> >> Jivin Luis Nagaki lays it down ...
> >>>> >>> How do i turn it on? Ive looked around for this option w no luck :/
> >>>> >>
> >>>> >> You need to set "dpdaction" to restart_by_peer for any end-points
> >>>> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
> >>>> >>
> >>>> >> The basic idea is that if the end point you are configuring knows the IP
> >>>> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
> >>>> >> you want clear.
> >>>> >>
> >>>> >> You can change the timesouts for DPD if you want but I would just go with
> >>>> >> the defaults for now, ??see here:
> >>>> >>
> >>>> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
> >>>> >>
> >>>> >> Look for dpddelay, dpdtimeout and dpdaction.
> >>>> >>
> >>>> >> Cheers,
> >>>> >> Davidm
> >>>> >>
> >>>> >>>
> >>>> >>>
> >>>> >>>
> >>>> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
> >>>> >>> <david_mccullough at mcafee.com> wrote:
> >>>> >>>
> >>>> >>> >
> >>>> >>> > Jivin Luis Nagaki lays it down ...
> >>>> >>> >> Ok everything is working..
> >>>> >>> >>
> >>>> >>> >> But.. final thing..
> >>>> >>> >>
> >>>> >>> >> IF i have the clients connected, and i reboot a client... once it
> >>>> >>> >> comes back online the tunnel is created, i can ping the VPN Server
> >>>> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
> >>>> >>> >> service. I dont want to do this everytime i lose a connection etc.
> >>>> >>> >
> >>>> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
> >>>> >>> > you,
> >>>> >>> >
> >>>> >>> > Cheers,
> >>>> >>> > Davidm
> >>>> >>> >
> >>>> >>> > --
> >>>> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
> >>>> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
> >>>> >>>
> >>>> >>>
> >>>> >>
> >>>> >> --
> >>>> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
> >>>> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
> >>>>
> >>>>
> >>>
> >>> --
> >>> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
> >>> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 

-- 
David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list