Hi,
I'm using FreeSwan to make static vpn's between several sites (about 5).
Each site is connected to each other site, so it's not just a star
connection. If N is my number of sites, every site is connected to (N-1)
other sites, and i have a total of (N-1)+(N-2)+...+1 sites (or N(N-1)/2).
Some of the sites are unreliable though, some of them even change IP address
regularly. I'm fine with that though -- my main issue is that i don't want
all N(N-1)/2 vpns to have problems when one has one, nor the (N-2)(N-1) ones
either. Also i do not want to use the road warrior configuration. I once
looked into this, and, though i don't remember what the exact problem was, i
concluded it didn't support the features i needed.
I thus have a script running every 5mn on each host to check the connection
to each peer (ping the wan interface of the remote gateway). If this fails,
i restart that particular connection with (for connection 'wl-ucla'):
ipsec auto --down wl-ucla
ipsec auto --replace wl-ucla
ipsec auto --up wl-ucla
I would hope this would enable a peer to reload a new ip address of a remote
peer, if it changed. It however doesn't seem to do this. I'm not positive,
but in several cases i had to restart ipsec completely before this change in
ip address of the peer would be noted.
Now i'm fine in restarting whatever it takes to get the gateway understand
the remote peer has a new ip address. However, i want to avoid bringing down
ipsec completely, and then back up, as i want the remaining (N-2) vpn links
to remain up. One node going down should not have an effect on the others,
and as soon as it is up again, i want to automatically create the vpn again.
So what would be the recommended ipsec command sequence instead of the one
above?
Second, when i decide to restart ipsec completely, i use my init script to
do so. It basically does something like (for the 'wl' node):
ipsec setup restart
ifconfig ipsec0 mtu 1000
ipsec whack --listen
# bring all possible connections up
ipsec auto --up wl-ucla
ipsec auto --up wl-mdr
ipsec auto --up wl-cp
...
I need the MTU or i get frag problems. I need the whack or i get "--need
listen before initiate", unless i put a 'sleep 10' instead. I don't know why
this is needed. Note that i don't want to have 'auto=up' iso 'auto=add' in
my configs as it had other implications is didn't want.
Now, even with the 'whack --listen', i still get randomly errors like "no
connection named wl-ucla". Adding a sleep before the 'auto --up's again
seems to resolve this (but sometimes not -- or is my sleep not long
enough?). I guess this is a timing error of 'ipsec setup restart' not being
ready yet, not having loaded all the connections from ipsec.conf. What
command would i need to insert (like 'whack --listen' for the listen before
initiate problem) to make sure the connection is loaded and i cannot get
into a situation where i run 'auto --up' when the connection listing is not
updated yet?
I run into a lot of frustration having to restart all peers several times
for an hour or so before suddenly (and apparently randomly) all seem to back
up again. So i have the impression that there is more wrong with the scheme
than the above, but that might be just because it's confusing. If i could
get the above resolved, this would already be a step further and i can then
see if i still have other issues.
Also, if 1.95 would resolve the above issues i could upgrade, only i try to
avoid the N kernel updates :).
Thanks,
Sebastien.
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:59 CEST