[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-ipsec
Subject:    Re: hung connections?
From:       Claudia Schmeing <claudia () freeswan ! org>
Date:       2001-03-28 20:21:47
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----

Hi,


You write,
> I am having some trouble with using SafeNet Soft-PK to connect through my
> LRP - IPSEC gateway to the office private subnet.
> 
> Everything works great when connecting from home on my laptop but when I
> take the laptop into the office, and the IPSEC connection is still up on the
> gateway I can't get out past the gateway because the routing table has an
> existing route for the laptop (if it gets the same IP from the DHCP server).
> 
> ipsec auto --down road-warriors
> 
> does the trick, but I would like to not have to do this every time.
> 
> I can avoid this by shutting down the connections through the
> SafeNet/Soft-PK GUI prior to shutting down the laptop, but I can't rely on
> others to do the same ;-)
> 
> Any advice appreciated.
> 
> Erik Myllymaki
> erik@pacific-shores.com

There are two things which may be going on here...
* is the connection up?
* is the routing up?

I'm not convinced it's in fact the routing that's interfering.

The routing stays up until the connection is unrouted with ipsec auto 
- --unroute:

       Normally, pluto's route to a destination remains in  place
       when  a  --down  operation  is used to take the connection
       down (or if connection setup, or later automatic rekeying,
       fails).   This permits establishing a new connection (per­
       haps using a different specification; the route is altered
       as necessary) without having a ``window'' in which packets
       might go elsewhere based on a more general route.  Such  a
       route can be removed using the --unroute operation (and is
       implicitly removed by --delete).

The two things that you claim improve the situation don't actually unroute. 
And, I believe that the old route to any given IP is in fact replaced by 
the updown script's prepare-host section when the new connection is installed.

If, indeed, the problem is that the connection is still up, there are 
things you can do. Have a look and see if the uniqueids parameter might 
help you, as described in man ipsec.conf. You may also wish to set a 
shorter rekeying time, which will allow a dangling connection to time
out faster.


Cheers,

Claudia

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQCVAwUBOsJU73DIYXPDEHodAQEUWgP/X7kJv4z53INwa82CWoVLzzY5AqGveREc
pzRGCpFU+qBH9xKQe1dsIzNds49P+v/w/tLk1TEFhYfH/eS1Q6w4xSy8aD4c9XWi
hAqx3celoCd87iVIdtmOUmMlUkzgXachYnLpPOTUwKje7Oswfx/vrIet/3xW+Fu9
/pG+saf5pyc=
=MViz
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]