[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] =?utf-8?q?Why_I_need_to_run_=E2=80=9Cipsec_auto_?=
From: "Neal P. Murphy" <neal.p.murphy () alum ! wpi ! edu>
Date: 2016-08-06 6:43:07
Message-ID: 20160806024307.54b37369 () playground
[Download RAW message or body]
OK. Now I begin to see what I think I should expect to see. After some reasonable \
period of time (30 minutes or so of inactivity), I see STATE_MAIN_R* cycling, but \
*without* the QUICK_R* states.
So it seems that for some reason, that first DPD 8-10 seconds after the tunnel comes \
up shouldn't happen and shouldn't redo the QUICK_* states. At least in my mind it \
seems reasonable that that first DPD shouldn't be triggered and shouldn't completely \
reset the tunnel.
N
On Mon, 2 May 2016 14:54:38 -0400
"Neal P. Murphy" <neal.p.murphy@alum.wpi.edu> wrote:
> On Mon, 2 May 2016 11:49:54 +0300
> Michael Furman <michael_furman@hotmail.com> wrote:
>
> > Hi all,
> >
> > According to the instruction: "To bring up the tunnel, issue the following \
> > command as root, on both left and right hosts: ipsec auto --up \
> > mytunnel"https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/Host-To-Host_VPN_Using_Openswan.html \
> > But why I need to run "ipsec auto –up" both on left and on right?I see that it \
> > is enough to run "ipsec auto –up" only on one side and it launch tunnel on both \
> > sides. service ipsec statusIPsec running - pluto pid: 12149pluto pid 121491 \
> > tunnels up Also, I can test that the tunnel is up: IP 172.16.0.2 > 172.16.0.1: \
> > ESP(spi=0x5b499423,seq=0x1), length 132IP 172.16.0.1 > 172.16.0.2: \
> > ESP(spi=0x32de4962,seq=0x1), length 132 If I run "ipsec auto –up" on other side \
> > I see that 2 tunnels are launched. service ipsec statusIPsec running - pluto \
> > pid: 12149pluto pid 121492 tunnels up I do not think that 2 channels on the same \
> > IPs is the correct configuration. Is it enough to run "ipsec auto –up" only on \
> > one side?
>
> You don't *have* to have both sides try to initiate the VPN, but it (usually) \
> doesn't hurt; whichever end gets through first becomes the initiator and the other \
> becomes the responder.
> If one side is behind NAT, it's often easiest if that host initiates the VPN whilst \
> the other end quietly awaits contact. (If both are behind NAT, you have to get a \
> little creative.)
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic