[Openswan Users] Why I need to run “ipsec auto –up” both on left and on right?

Neal P. Murphy neal.p.murphy at alum.wpi.edu
Mon May 2 14:54:38 EDT 2016


On Mon, 2 May 2016 11:49:54 +0300
Michael Furman <michael_furman at hotmail.com> wrote:

> Hi all,
> 
> According to the instruction: “To bring up the tunnel, issue the following command as root, on both left and right hosts: ipsec auto --up mytunnel”https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html But why I need to run “ipsec auto –up” both on left and on right?I see that it is enough to run “ipsec auto –up” only on one side and it launch tunnel on both sides. service ipsec statusIPsec running  - pluto pid: 12149pluto pid 121491 tunnels up Also, I can test that the tunnel is up: IP 172.16.0.2 > 172.16.0.1: ESP(spi=0x5b499423,seq=0x1), length 132IP 172.16.0.1 > 172.16.0.2: ESP(spi=0x32de4962,seq=0x1), length 132 If I run “ipsec auto –up” on other side I see that 2 tunnels are launched. service ipsec statusIPsec running  - pluto pid: 12149pluto pid 121492 tunnels up  I do not think that 2 channels on the same IPs is the correct configuration. Is it enough to run “ipsec auto –up” only on one side?

You don't *have* to have both sides try to initiate the VPN, but it (usually) doesn't hurt; whichever end gets through first becomes the initiator and the other becomes the responder.

If one side is behind NAT, it's often easiest if that host initiates the VPN whilst the other end quietly awaits contact. (If both are behind NAT, you have to get a little creative.)


More information about the Users mailing list