[Openswan Users] Routing Issue
Luis Nagaki
luis.nagaki at gmail.com
Fri Jun 8 17:03:53 EDT 2012
Also, i just got this
#7: ISAKMP SA expired (LATEST!)
packet from "IP":4500: Informational Exchange is for an unknown
(expired?) SA with MSGID:0x621a00bc
DPD: could not find newest phase 1 state
i found some sites saying to take off rekey? is there a down side to that?
On Fri, Jun 8, 2012 at 11:18 AM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> Everything checks out fine in the logs.
>
> i want to have a better understanding.
>
> the dpddelay and dpdtimeout .. if you increase this or decrease these
> follows what does it really do?
>
> I noticed that all of a sudden i had 3 tunnels, and then back down to
> 2 tunnels which i should have. BUT my routes stayed. this is testing
> if i restart the service on the client side. IF i reboot the client
> then thats when the routes drop and never come back even thou on the
> client the routes come up. the server side it never stays. is there a
> way to just keep the route even if it drops for 1 hr lets say or 1
> day, would the dpdtimeout or delay be something i want to increase to
> 24 hrs or something? i think i would eventually end up with like
> 10000's of tunnels but the delay would kill the tunnel since this is
> the actual keepalive delay? i just want to see if i can understand it
> better.
>
> On Fri, Jun 8, 2012 at 12:20 AM, David McCullough
> <david_mccullough at mcafee.com> wrote:
>>
>> Jivin Luis Nagaki lays it down ...
>>> Does anyone have any thoughts? Routes are lost on server side. if
>>> client side restarts service or reboots.
>>
>> Sorry, got tied up. I don't have anything to add here.
>> Check through the logs and check what routes you do have, perhaps there is
>> a routing conflict.
>>
>> Cheers,
>> Davidm
>>
>>> On Tue, Jun 5, 2012 at 11:09 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>> > the only error i get is this
>>> >
>>> > vpnclient1" took too long -- replacing phase 1
>>> > vpnclient1" #14: initiating Main Mode to replace #12
>>> > vpnclient1" #14: ignoring informational payload, type
>>> > NO_PROPOSAL_CHOSEN msgid=00000000
>>> > vpnclient1" #14: received and ignored informational message
>>> >
>>> > but still ping works in 1 direction. client to server only
>>> >
>>> > On Tue, Jun 5, 2012 at 11:08 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>> >> Well... got DPD=enabled now. i put those settings on both sides server
>>> >> and client and still.. routes get removed after a reboot or service
>>> >> reboot on client side. routes ONLY come back up if i restart the
>>> >> server service this sucks...
>>> >>
>>> >> On Tue, Jun 5, 2012 at 9:09 PM, David McCullough
>>> >> <david_mccullough at mcafee.com> wrote:
>>> >>>
>>> >>> Jivin Luis Nagaki lays it down ...
>>> >>>> i do get in the secure log DPD=NONE but i dont think that is the same
>>> >>>> as dpdaction right?
>>> >>>
>>> >>> That means DPD is not active IIRC.
>>> >>>
>>> >>>> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>> >>>> > i actually found a site that had a howto for an iphone setup. which is
>>> >>>> > not what i want but i followed it but still nothing works.
>>> >>>> >
>>> >>>> > i have in my vpnclient.conf on the client and server side..file
>>> >>>> > dpdaction=restart_by_peer b/c i have auto=start
>>> >>>
>>> >>>
>>> >>> Ok, ??just in case I have missed something, ??also add:
>>> >>>
>>> >>> ?? ?? ?? ??dpddelay = 15
>>> >>> ?? ?? ?? ??dpdtimeout = 30
>>> >>>
>>> >>> and see how that goes.
>>> >>>
>>> >>>> > when i reboot or restart the service on the client side, the routes
>>> >>>> > are gone. its not until i reboot the service on the server that the
>>> >>>> > routes come back =|.. im ALMOST there.. just need to fix this one
>>> >>>> > thing.
>>> >>>
>>> >>> Sounds like you need to get DPD enabled, ??and for some reason it isn't.
>>> >>> Check the openswan logs for the SA established lines and see what is
>>> >>> negotiated,
>>> >>>
>>> >>> Cheers,,
>>> >>> Davidm
>>> >>>
>>> >>>
>>> >>>
>>> >>>> >
>>> >>>> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
>>> >>>> > <david_mccullough at mcafee.com> wrote:
>>> >>>> >> Jivin Luis Nagaki lays it down ...
>>> >>>> >>> How do i turn it on? Ive looked around for this option w no luck :/
>>> >>>> >>
>>> >>>> >> You need to set "dpdaction" to restart_by_peer for any end-points
>>> >>>> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
>>> >>>> >>
>>> >>>> >> The basic idea is that if the end point you are configuring knows the IP
>>> >>>> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
>>> >>>> >> you want clear.
>>> >>>> >>
>>> >>>> >> You can change the timesouts for DPD if you want but I would just go with
>>> >>>> >> the defaults for now, ??see here:
>>> >>>> >>
>>> >>>> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
>>> >>>> >>
>>> >>>> >> Look for dpddelay, dpdtimeout and dpdaction.
>>> >>>> >>
>>> >>>> >> Cheers,
>>> >>>> >> Davidm
>>> >>>> >>
>>> >>>> >>>
>>> >>>> >>>
>>> >>>> >>>
>>> >>>> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
>>> >>>> >>> <david_mccullough at mcafee.com> wrote:
>>> >>>> >>>
>>> >>>> >>> >
>>> >>>> >>> > Jivin Luis Nagaki lays it down ...
>>> >>>> >>> >> Ok everything is working..
>>> >>>> >>> >>
>>> >>>> >>> >> But.. final thing..
>>> >>>> >>> >>
>>> >>>> >>> >> IF i have the clients connected, and i reboot a client... once it
>>> >>>> >>> >> comes back online the tunnel is created, i can ping the VPN Server
>>> >>>> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
>>> >>>> >>> >> service. I dont want to do this everytime i lose a connection etc.
>>> >>>> >>> >
>>> >>>> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
>>> >>>> >>> > you,
>>> >>>> >>> >
>>> >>>> >>> > Cheers,
>>> >>>> >>> > Davidm
>>> >>>> >>> >
>>> >>>> >>> > --
>>> >>>> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>> >>>> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>> >>>> >>>
>>> >>>> >>>
>>> >>>> >>
>>> >>>> >> --
>>> >>>> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>> >>>> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>> >>>>
>>> >>>>
>>> >>>
>>> >>> --
>>> >>> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>> >>> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>>
>>
>> --
>> David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
>> McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Users
mailing list