[Openswan Users] Routing Issue

Luis Nagaki luis.nagaki at gmail.com
Mon Jun 11 14:34:02 EDT 2012


I figured out how to ADD the route via the tunnel

ip route replace 172.16.181.0/28 via DEF.GW.OF.VPN.SERVER dev eth0
src 10.1.0.45

now, the issue is. WHY do i have to do this every time? should i just
add this to the end of the updown script!? its a crack at it but its
going to have to do till i fix this issue =\

On Mon, Jun 11, 2012 at 2:03 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
> I am still stuck on this,
>
> Still can not get Routes on server side BACK if the client restarts or
> reboots or connection is cut/to slow. The route works fine on client ,
> i can ping the internal of the vpn server. but server -> client it
> gets lost. dpd is set to restart_by_peer and dpd delay and action are
> 15 and 30.
>
> some things i see..
>
> after stopping the service on client side, and waiting about 10-15
> seconds, i get this
>
> "poller2" #5: IPsec SA expired (LATEST!)
> packet from 76.26.48.XX:55058: received Vendor ID payload [Openswan
> (this version) 2.6.32 ]
> packet from 76.26.48.XX:55058: received Vendor ID payload [Dead Peer Detection]
> packet from 76.26.48.XX:55058: received Vendor ID payload [RFC 3947]
> meth=109, but port floating is off
> packet from 76.26.48.XX:55058: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
> packet from 76.26.48.XX:55058: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
> packet from 76.26.48.XX:55058: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but port floating is off
> packet from 76.26.48.XX:55058: ignoring Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-00]
>
>
> its until i restart the service ipsec that the route comes back . its
> frustrating.
>
>
>
>
>
> On Mon, Jun 11, 2012 at 9:18 AM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>> Ok SO i dug really hard into my log files.
>>
>> after stopping the service on the client i noticed this on the server
>>
>> vpnclient1 #12: down-client output: /usr/libexec/ipsec/_updown.netkey:
>> doroute `ip route del 172.16.181.0/28 via (PUBLICIP OF SERVER) dev
>> eth0 ' failed (RTNETLINK answers: No such process)
>>
>> pending Quick Mode with Client Public IP "vpnclient1" took too long --
>> replacing phase 1
>>
>> let me know if this helps a bit.
>>
>>
>> On Fri, Jun 8, 2012 at 5:03 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>> Also, i just got this
>>> #7: ISAKMP SA expired (LATEST!)
>>>  packet from "IP":4500: Informational Exchange is for an unknown
>>> (expired?) SA with MSGID:0x621a00bc
>>>  DPD: could not find newest phase 1 state
>>>
>>> i found some sites saying to take off rekey? is there a down side to that?
>>>
>>> On Fri, Jun 8, 2012 at 11:18 AM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>>> Everything checks out fine in the logs.
>>>>
>>>> i want to have a better understanding.
>>>>
>>>> the dpddelay and dpdtimeout .. if you increase this or decrease these
>>>> follows what does it really do?
>>>>
>>>> I noticed that all of a sudden i had 3 tunnels, and then back down to
>>>> 2 tunnels which i should have. BUT my routes stayed. this is testing
>>>> if i restart the service on the client side. IF i reboot the client
>>>> then thats when the routes drop and never come back even thou on the
>>>> client the routes come up. the server side it never stays. is there a
>>>> way to just keep the route even if it drops for 1 hr lets say or 1
>>>> day, would the dpdtimeout or delay be something i want to increase to
>>>> 24 hrs or something? i think i would eventually end up with like
>>>> 10000's of tunnels but the delay would kill the tunnel since this is
>>>> the actual keepalive delay? i just want to see if i can understand it
>>>> better.
>>>>
>>>> On Fri, Jun 8, 2012 at 12:20 AM, David McCullough
>>>> <david_mccullough at mcafee.com> wrote:
>>>>>
>>>>> Jivin Luis Nagaki lays it down ...
>>>>>> Does anyone have any thoughts? Routes are lost on server side.  if
>>>>>> client side restarts service or reboots.
>>>>>
>>>>> Sorry,  got tied up.  I don't have anything to add here.
>>>>> Check through the logs and check what routes you do have,  perhaps there is
>>>>> a routing conflict.
>>>>>
>>>>> Cheers,
>>>>> Davidm
>>>>>
>>>>>> On Tue, Jun 5, 2012 at 11:09 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>>>>> > the only error i get is this
>>>>>> >
>>>>>> > vpnclient1" took too long -- replacing phase 1
>>>>>> > vpnclient1" #14: initiating Main Mode to replace #12
>>>>>> > vpnclient1" #14: ignoring informational payload, type
>>>>>> > NO_PROPOSAL_CHOSEN msgid=00000000
>>>>>> > vpnclient1" #14: received and ignored informational message
>>>>>> >
>>>>>> > but still ping works in 1 direction. client to server only
>>>>>> >
>>>>>> > On Tue, Jun 5, 2012 at 11:08 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>>>>> >> Well... got DPD=enabled now. i put those settings on both sides server
>>>>>> >> and client and still.. routes get removed after a reboot or service
>>>>>> >> reboot on client side. routes ONLY come back up if i restart the
>>>>>> >> server service this sucks...
>>>>>> >>
>>>>>> >> On Tue, Jun 5, 2012 at 9:09 PM, David McCullough
>>>>>> >> <david_mccullough at mcafee.com> wrote:
>>>>>> >>>
>>>>>> >>> Jivin Luis Nagaki lays it down ...
>>>>>> >>>> i do get in the secure log DPD=NONE but i dont think that is the same
>>>>>> >>>> as dpdaction right?
>>>>>> >>>
>>>>>> >>> That means DPD is not active IIRC.
>>>>>> >>>
>>>>>> >>>> On Tue, Jun 5, 2012 at 7:43 PM, Luis Nagaki <luis.nagaki at gmail.com> wrote:
>>>>>> >>>> > i actually found a site that had a howto for an iphone setup. which is
>>>>>> >>>> > not what i want but i followed it but still nothing works.
>>>>>> >>>> >
>>>>>> >>>> > i have in my vpnclient.conf on the client and server side..file
>>>>>> >>>> > dpdaction=restart_by_peer b/c i have auto=start
>>>>>> >>>
>>>>>> >>>
>>>>>> >>> Ok, ??just in case I have missed something, ??also add:
>>>>>> >>>
>>>>>> >>> ?? ?? ?? ??dpddelay = 15
>>>>>> >>> ?? ?? ?? ??dpdtimeout = 30
>>>>>> >>>
>>>>>> >>> and see how that goes.
>>>>>> >>>
>>>>>> >>>> > when i reboot or restart the service on the client side, the routes
>>>>>> >>>> > are gone. its not until i reboot the service on the server that the
>>>>>> >>>> > routes come back =|.. im ALMOST there.. just need to fix this one
>>>>>> >>>> > thing.
>>>>>> >>>
>>>>>> >>> Sounds like you need to get DPD enabled, ??and for some reason it isn't.
>>>>>> >>> Check the openswan logs for the SA established lines and see what is
>>>>>> >>> negotiated,
>>>>>> >>>
>>>>>> >>> Cheers,,
>>>>>> >>> Davidm
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>
>>>>>> >>>> >
>>>>>> >>>> > On Tue, Jun 5, 2012 at 7:18 PM, David McCullough
>>>>>> >>>> > <david_mccullough at mcafee.com> wrote:
>>>>>> >>>> >> Jivin Luis Nagaki lays it down ...
>>>>>> >>>> >>> How do i turn it on? Ive looked around for this option w no luck :/
>>>>>> >>>> >>
>>>>>> >>>> >> You need to set "dpdaction" to restart_by_peer for any end-points
>>>>>> >>>> >> with "auto = start", ??and set it to "clear" for any with "auto = add".
>>>>>> >>>> >>
>>>>>> >>>> >> The basic idea is that if the end point you are configuring knows the IP
>>>>>> >>>> >> address of the remote end point, ??then you want restart_by_peer, ??otherwise
>>>>>> >>>> >> you want clear.
>>>>>> >>>> >>
>>>>>> >>>> >> You can change the timesouts for DPD if you want but I would just go with
>>>>>> >>>> >> the defaults for now, ??see here:
>>>>>> >>>> >>
>>>>>> >>>> >> ?? ?? ?? ??http://linux.die.net/man/5/ipsec.conf
>>>>>> >>>> >>
>>>>>> >>>> >> Look for dpddelay, dpdtimeout and dpdaction.
>>>>>> >>>> >>
>>>>>> >>>> >> Cheers,
>>>>>> >>>> >> Davidm
>>>>>> >>>> >>
>>>>>> >>>> >>>
>>>>>> >>>> >>>
>>>>>> >>>> >>>
>>>>>> >>>> >>> On Jun 5, 2012, at 6:54 PM, David McCullough
>>>>>> >>>> >>> <david_mccullough at mcafee.com> wrote:
>>>>>> >>>> >>>
>>>>>> >>>> >>> >
>>>>>> >>>> >>> > Jivin Luis Nagaki lays it down ...
>>>>>> >>>> >>> >> Ok everything is working..
>>>>>> >>>> >>> >>
>>>>>> >>>> >>> >> But.. final thing..
>>>>>> >>>> >>> >>
>>>>>> >>>> >>> >> IF i have the clients connected, and i reboot a client... once it
>>>>>> >>>> >>> >> comes back online the tunnel is created, i can ping the VPN Server
>>>>>> >>>> >>> >> internally. BUT i can not ping the client UNLESS i restart the ipsec
>>>>>> >>>> >>> >> service. I dont want to do this everytime i lose a connection etc.
>>>>>> >>>> >>> >
>>>>>> >>>> >>> > Do you have dead peer detection enabled ? ??If not that should solve it for
>>>>>> >>>> >>> > you,
>>>>>> >>>> >>> >
>>>>>> >>>> >>> > Cheers,
>>>>>> >>>> >>> > Davidm
>>>>>> >>>> >>> >
>>>>>> >>>> >>> > --
>>>>>> >>>> >>> > David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>>>>> >>>> >>> > McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>>>>> >>>> >>>
>>>>>> >>>> >>>
>>>>>> >>>> >>
>>>>>> >>>> >> --
>>>>>> >>>> >> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>>>>> >>>> >> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>>>>> >>>>
>>>>>> >>>>
>>>>>> >>>
>>>>>> >>> --
>>>>>> >>> David McCullough, ?? ?? ??david_mccullough at mcafee.com, ??Ph:+61 734352815
>>>>>> >>> McAfee - SnapGear ?? ?? ??http://www.mcafee.com ?? ?? ?? ?? http://www.uCdot.org
>>>>>> _______________________________________________
>>>>>> Users at lists.openswan.org
>>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
>>>>> McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org


More information about the Users mailing list