Hi Sam,
Thanks for the reply. I tried this, on both ends of a tunnel that has been
closed for about 30 hours. It didn't do anything, but then! restarting the
tunnel on both ends via the firewall GUI on each side brought the tunnel
back up!
ipsec look ... gave me lots of information on the open tunnel, and I
could ping the firewall on each side okay.
I then closed the tunnel and tried it again, and now - again! - it remains
closed. No combination of restarting ipsec manually and through the gui will
bring the tunnel up - I suspect I will have to delete and re-enter info with
another name as usual!
So I investigated further, and this seems to be be how the tunnels are
brought up on the linux firewall...
when ISDN connects -
dynamic dns is updated
a vpn script is called, which roughly does the following...
ipsecctrl R ...is called, this presumably starts ipsec itself but is a
binary file not a script!
- for each tunnel, ipsec is now called as follows:
ipsec auto --asynchronous --up tunnelname
- which returns the following:
104 "tunnelname" #3: STATE_MAIN_I1: initiate
the ipsec.conf is as follows:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
conn tunnelname
left=1.2.3.4
leftsubnet=192.168.100.0/24
leftnexthop=1.2.3.41
right=firewall.dyndns.org
rightsubnet=192.168.200.0/24
rightnexthop=firewallgateway.dyndns.org
auto=add
don't know if these throw any light on anything, maybe there is something I
can change in the way ipsec is called to allow for dynamic dns? (currently
ipsec auto --asynchronous --up tunnelname)
or maybe something I can change in the ipsec.conf to enforce continual dns
lookup? (I have been scouting around newsgroups looking for answers!!)
other than that, what log files can I check to see what is happening?
many thanks for your help!
Regards,
Greg Conway.
-----Original Message-----
From: Sam Sgro [mailto:sam_at_freeswan.org]
Sent: 12 May 2002 01:13
To: Greg Conway
Cc: users_at_lists.freeswan.org
Subject: Re: [Users] force ipsec to resolve ipsec.conf again on an open
tunnel?
-----BEGIN PGP SIGNED MESSAGE-----
On Sat, 11 May 2002, Greg Conway wrote:
> Until - the ISDN line is dropped (life will be sooo much easier when ADSL
> finally arrives here!).
You will need to run "ipsec setup --restart" after the ISDN line comes
back up. That will link the ipsec interfaces with the new IP address.
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPN2zjkOSC4btEQUtAQGb2wQAwEZ+03om9K/xZe0FQAP+8ye9gJ8VNkZg
EwgyNizqDFfd2GXgrRwHNBWNQ/R9lbFuMLqCcx+nIfm8XCC+vvcuE3Purw4ih7w0
VhrTq1aYs0ahEEZ5VvJPQSsmgEHjJuWtcMpiAypA/pSTi7b4667Y+If3vu0FcRI1
Y3PIe/UuNo0=
=0iB2
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST