[Openswan Users] Why I need to run “ipsec auto –up” both on left and on right?

[Neal P. Murphy]

OK. Now I begin to see what I think I should expect to see. After some reasonable period of time (30 minutes or so of inactivity), I see STATE_MAIN_R* cycling, but *without* the QUICK_R* states.

So it seems that for some reason, that first DPD 8-10 seconds after the tunnel comes up shouldn't happen and shouldn't redo the QUICK_* states. At least in my mind it seems reasonable that that first DPD shouldn't be triggered and shouldn't completely reset the tunnel.

N


On Mon, 2 May 2016 14:54:38 -0400
"Neal P. Murphy" <neal.p.murphy at alum.wpi.edu> wrote:

> On Mon, 2 May 2016 11:49:54 +0300
> Michael Furman <michael_furman at hotmail.com> wrote:
> 
> > Hi all,
> > 
> > According to the instruction: “To bring up the tunnel, issue the following command as root, on both left and right hosts: ipsec auto --up mytunnel”https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html But why I need to run “ipsec auto –up” both on left and on right?I see that it is enough to run “ipsec auto –up” only on one side and it launch tunnel on both sides. service ipsec statusIPsec running  - pluto pid: 12149pluto pid 121491 tunnels up Also, I can test that the tunnel is up: IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x5b499423,seq=0x1), length 132IP 172.16.0.1 > 172.16.0.2: ESP(spi=0x32de4962,seq=0x1), length 132 If I run “ipsec auto –up” on other side I see that 2 tunnels are launched. service ipsec statusIPsec running  - pluto pid: 12149pluto pid 121492 tunnels up  I do not think that 2 channels on the same IPs is the correct configuration. Is it enough to run “ipsec auto –up” only on one side?
> 
> You don't *have* to have both sides try to initiate the VPN, but it (usually) doesn't hurt; whichever end gets through first becomes the initiator and the other becomes the responder.
> 
> If one side is behind NAT, it's often easiest if that host initiates the VPN whilst the other end quietly awaits contact. (If both are behind NAT, you have to get a little creative.)