[strongSwan] help: ping behaviour when tunnel is not established

Shukla, Sanjay Sanjay.Shukla at ipc.com
Mon Apr 16 17:13:19 CEST 2012


Hello,

Any insight to the below would be helpful.

Regards,
-sanjay

From: users-bounces+sanjay.shukla=ipc.com at lists.strongswan.org [mailto:users-bounces+sanjay.shukla=ipc.com at lists.strongswan.org] On Behalf Of Shukla, Sanjay
Sent: Friday, April 13, 2012 3:58 PM
To: users at lists.strongswan.org
Subject: [strongSwan] help: ping behaviour when tunnel is not established

I request you urgent help in understanding this behavior.

When a connection is configured in /etc/ipsec.conf but the left side of the connection is not responding (say left is unreachable) I see the ping behavior as below

root at ffd-ipsec-189 sanjay]# ping 10.204.74.188

basically ping is stuck or blocked.


Now if I do not have a connection configured in the /etc/ipsec.conf I see that the ping responds like this

root at ffd-ipsec-189 sanjay]# ping 10.204.74.188
PING 10.204.74.188 (10.204.74.188) 56(84) bytes of data.
>From 10.204.74.189 icmp_seq=2 Destination Host Unreachable
>From 10.204.74.189 icmp_seq=3 Destination Host Unreachable
>From 10.204.74.189 icmp_seq=5 Destination Host Unreachable

What settings can be done for a timeout to occurs to that a program that is trying to reach an ip may not be blocked forever if ipsec SA cannot be established ?


My connection setting as follows

#Below Are The Configuration for CCM_CCM IPSec Tunnel
conn LocalIP_LocalIP_10.204.74.188
        left=10.204.74.189
        leftcert=ServLcl.pem
        leftsendcert=yes
        leftupdown=/opt/ipc/security/ipsectunnel/rightdown.sh
        right=10.204.74.188
        rightid=%any
        keyexchange=ikev2
        type=transport
        reauth=no
        dpddelay=5s
        dpdaction=restart
        keyingtries=%forever
        auto=route

regards,
-sanjay



[cid:image001.png at 01CD1BC1.EDD21A60]Please consider the environment before printing this email.

________________________________
DISCLAIMER: This e-mail may contain information that is confidential, privileged or otherwise protected from disclosure. If you are not an intended recipient of this e-mail, do not duplicate or redistribute it by any means. Please delete it and any attachments and notify the sender that you have received it in error. Unintended recipients are prohibited from taking action on the basis of information in this e-mail.E-mail messages may contain computer viruses or other defects, may not be accurately replicated on other systems, or may be intercepted, deleted or interfered with without the knowledge of the sender or the intended recipient. If you are not comfortable with the risks associated with e-mail messages, you may decide not to use e-mail to communicate with IPC. IPC reserves the right, to the extent and under circumstances permitted by applicable law, to retain, monitor and intercept e-mail messages to and from its systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120416/3867b7a4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 908 bytes
Desc: image001.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120416/3867b7a4/attachment.png>


More information about the Users mailing list