[Openswan Users] Loss problems with OpenSwan

Cristian Petrescu cristian.petrescu at telemaxvoice.ro
Wed Apr 9 05:15:14 EDT 2014 

Hello Nick,
   Thank you for your answer. I have to keep the private IP on both 
hosts. Considering what you've told me, I will eliminate lo:0 and assign 
the 10.122.1.1 IP to a free network card on HOST2. I will also add 
left/rightsourceip. I will have to wait few days to see if this has 
solved the issue.

Best regards,
Cristian
On 09/04/2014 11:37, Nick Howitt wrote:
>
> Rather than your "subnets" set up have you considered doing a more 
> usual simple left/rightsubnet and adding a left/rightsourceip 
> (probably 10.22.1.1 and 10.122.3.2). Then remove the HOST1 assignment 
> to lo:0?
>
> Nick
>
> On 2014-04-09 09:15, Cristian Petrescu wrote:
>
>> Dear Users,
>>    I've been using OpenSwan CentOS 6.4 ( 2.6.32-358.2.1.el6.x86_64 ) for some time, it works well but from time to time we start experiencing around 2-3% loss on the connection. If we restart both openswan ends the loss goes away, I wasn't able to determine when and why the loss occurs. I've checked /var/log/secure and there isn't anything happening out of normal. I've had problems in the past with ksoftirqd reaching 100% but after setting /proc/sys/net/ipv4/xfrm4_gc_thresh to 100 and installing irqbalance that ksoftirqd was solved. Please help me solve this issue, below is the configuration:
>>
>> HOST2:
>> # /etc/ipsec.conf - Openswan IPsec configuration file
>> #
>> # Manual:     ipsec.conf.5
>> #
>> # Please place your own config files in /etc/ipsec.d/ ending in .conf
>>
>> version 2.0     # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>>          protostack=netkey
>>          virtual_private=%v4:10.122.0.0/16
>>          oe=off
>>          nhelpers=0
>>
>> conn host1host2
>>          dpdaction=restart_by_peer
>>          dpdtimeout=60
>>          dpddelay=10
>>          left=<host2 public ip>
>>          leftsubnets={10.122.1.1/32,<host2 public ip>/32}
>>          leftid=@host2  <mailto:leftid=@host2>
>>          leftnexthop=%defaultroute
>>          right=<host1 public ip>
>>          rightsubnets={10.122.3.0/24,<host1 public ip>/32}
>>          rightid=@host1  <mailto:rightid=@host1>
>>          rightnexthop=%defaultroute
>>          auto=start
>>          authby=secret
>>          type=tunnel
>>
>> On HOST2, 10.122.1.1 is assigned to lo:0
>> On HOST1, 10.122.3.2 is assigned to a network interface that is gateway for the equipments in that network in order to reach 10.122.1.1
>> HOST2 and HOST1 have the same ipsec.conf configuration.
>>
>> Best regards,
>> Cristi
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org  <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140409/a71b2de8/attachment.html>

More information about the Users mailing list