[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-ipsec
Subject: Re: hung connections?
From: Claudia Schmeing <claudia () freeswan ! org>
Date: 2001-03-28 20:21:47
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hi,
You write,
> I am having some trouble with using SafeNet Soft-PK to connect through my
> LRP - IPSEC gateway to the office private subnet.
>
> Everything works great when connecting from home on my laptop but when I
> take the laptop into the office, and the IPSEC connection is still up on the
> gateway I can't get out past the gateway because the routing table has an
> existing route for the laptop (if it gets the same IP from the DHCP server).
>
> ipsec auto --down road-warriors
>
> does the trick, but I would like to not have to do this every time.
>
> I can avoid this by shutting down the connections through the
> SafeNet/Soft-PK GUI prior to shutting down the laptop, but I can't rely on
> others to do the same ;-)
>
> Any advice appreciated.
>
> Erik Myllymaki
> erik@pacific-shores.com
There are two things which may be going on here...
* is the connection up?
* is the routing up?
I'm not convinced it's in fact the routing that's interfering.
The routing stays up until the connection is unrouted with ipsec auto
- --unroute:
Normally, pluto's route to a destination remains in place
when a --down operation is used to take the connection
down (or if connection setup, or later automatic rekeying,
fails). This permits establishing a new connection (per
haps using a different specification; the route is altered
as necessary) without having a ``window'' in which packets
might go elsewhere based on a more general route. Such a
route can be removed using the --unroute operation (and is
implicitly removed by --delete).
The two things that you claim improve the situation don't actually unroute.
And, I believe that the old route to any given IP is in fact replaced by
the updown script's prepare-host section when the new connection is installed.
If, indeed, the problem is that the connection is still up, there are
things you can do. Have a look and see if the uniqueids parameter might
help you, as described in man ipsec.conf. You may also wish to set a
shorter rekeying time, which will allow a dangling connection to time
out faster.
Cheers,
Claudia
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOsJU73DIYXPDEHodAQEUWgP/X7kJv4z53INwa82CWoVLzzY5AqGveREc
pzRGCpFU+qBH9xKQe1dsIzNds49P+v/w/tLk1TEFhYfH/eS1Q6w4xSy8aD4c9XWi
hAqx3celoCd87iVIdtmOUmMlUkzgXachYnLpPOTUwKje7Oswfx/vrIet/3xW+Fu9
/pG+saf5pyc=
=MViz
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic