Re: [Users] Reconnecting VPN using dynamic IP after drop out

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Oct 09 2002 - 08:33:05 CEST

• Next message: kimhw: "[Users] FreeS/WAN with PPPoE"
• Previous message: Hugh Daniel: "[Users] Re: New Interop document!"
• In reply to: Matthew Pozzi: "[Users] Reconnecting VPN using dynamic IP after drop out"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 9 Oct 2002, Matthew Pozzi wrote:

> I have used the ppp ip-up.d and ip-down.d to call a simple script to shut
> down the connection, kill routing and stop IPSEC on a disconnect and to
> start and auto --up and new connection with a new ip address connection. I
> have both ends using start=add so that the scripts will bring the connection
> up and down as required when ppp stops and starts the new connections. I did
> this in an attempt to get the VPN to reconnect correctly when the ADSL
> service reconnects, even when the other end still has its connection up, as
> it does not know that the connection has dropped.

As you know, Pluto only resolves the names when a connection is added,
not upped. There's no easy solution to this; many people use automatic cron
scripts to check to see if a VPN partner is up via ping, and if that test
fails, use the "ipsec auto" commands to --delete and --add the connection again.
The dead peer patch (wherever it might be atm) addresses this concern. Read
this recent message for another suggestion:

http://lists.freeswan.org/pipermail/users/2002-October/014870.html

We're currently looking to a better way for IPsec to survive disconnects like
this.

> Currently when calling
> ipsec setup start and then ipsec auto --up vpn, Pluto tries to start but
> cannot find an interface called ipsec0, see below
>
> Oct 9 00:13:15 firewall ipsec__plutorun: 022 "vpn": we have no ipsecN
> interface for either end of this connection

Question: how do you define yourself in your setup? If you do so with a DynDNS
based name, as opposed to "%defaultroute" or the like, then perhaps pluto is
resolving your name to the *old* ip address. Then, when it looks through the
connection to find a matching IP address to an ipsecN interface, it can't find
one. (This is how our scripts know which side of a connection is, er, itself)
It might help to turn plutodebugging to "all" temporarily, so we can perhaps
see more detail on the specific complaint.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPaPNpEOSC4btEQUtAQF7twQAnfvix+DLqYbW0PNCFST7RHpWWnc80Kep
jxpazp6riqaFF7kfXySODD5MqEUNdqH4VVdiuCyw4c3EmhFV1cCnawfMahri49Yt
SjfMbPY0jQ5v03hwkWAUDdXmR0MPMf1GymH/DgRlZMyC0KDwp983KlwC2EXrg961
vQuZglJu2T4=
=09Y9
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: kimhw: "[Users] FreeS/WAN with PPPoE"
• Previous message: Hugh Daniel: "[Users] Re: New Interop document!"
• In reply to: Matthew Pozzi: "[Users] Reconnecting VPN using dynamic IP after drop out"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Oct 10 2002 - 05:20:24 CEST