Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?

From: Sam Sgro (sam_at_freeswan.org)
Date: Sun May 12 2002 - 04:51:38 CEST

Next message: Wilf \(Neil Wilkinson\): "[Users] freeswan / kernel 2.4.7-10 and ipchains problem."
Previous message: Greg Conway: "RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?"
In reply to: Greg Conway: "RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?"
Next in thread: Greg Conway: "RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Sun, 12 May 2002, Greg Conway wrote:

> So I investigated further, and this seems to be be how the tunnels are
> brought up on the linux firewall...
>
>snip<

Since you mention an IP address for the "left" reference in your
ipsec.conf file, I assume you have a situation with one machine
being static, and the other dynamic. As I see it, you'll have no problem
re-starting the machine with the dynamic IP to recognize its new IP
address; but you may have issues with the static machine, due to the
delay Dynamic DNS updates frequently encounter. This all may be happening
too fast for the static machine.

Ultimately, you will be better off approaching this from the angle of a
"RoadWarrior". This configuration is meant for situations in which one
machine's IP address changes frequently, but the other does not, and I
would highly recommend it if that is indeed your situation.

Read about a Road Warrior setup at doc/config.html#roadex.

As for some of your other questions:

IPSec logs can be found in both /var/log/secure and /var/log/messages.
As well, you may want to compare the output of "ipsec auto --status" on
both sides of the VPN; see if the connection descriptions match and are
correct with the actual setup post-ISDN-restart.

To carefully restart the connections use these commands:

1) ipsec auto --down connectionname
2) ipsec auto --delete connectionname
3) ipsec auto --add connectionname
4) ipsec auto --verbose --up connectionname

This should ensure that the configuration file is re-read properly before
re-starting the connection.

Hope some of this helps,

Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPN3YvUOSC4btEQUtAQGVcAP/ZA+e16SAi2x0460xG1bZ+mkB1N0Fk1MD
3feCcdjjfxhVK5mMq0sUc+W8U3wNujhfVksqgBTuluFYcM85KABlaxnEKM25T7tS
estyvHiyqcpEnrWGU/UQvUj8wTQ3ckD/XOaxLuhgVPK7UyQmZaaVoRoP29Tn/ZIj
4S343doO4zU=
=Mh9S
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Wilf \(Neil Wilkinson\): "[Users] freeswan / kernel 2.4.7-10 and ipchains problem."
Previous message: Greg Conway: "RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?"
In reply to: Greg Conway: "RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?"
Next in thread: Greg Conway: "RE: [Users] force ipsec to resolve ipsec.conf again on an open tunnel?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:58 CEST