[strongSwan] help: ping behaviour when tunnel is not established

Hans-Kristian Bakke hkbakke at gmail.com
Thu Apr 26 09:28:58 CEST 2012


I of course meant ICMP not SNMP.

This has the effect of working for all traffic destined for not-established
IPsec tunnels, not only ping, speeding up everything.

Regards,

*Hans-Kristian Bakke*



On Thu, Apr 26, 2012 at 09:27, Hans-Kristian Bakke <hkbakke at gmail.com>wrote:

> This is actually easy to solve using normal "network" behaviour, that is
> making the IPSec gateway respond with SNMP unreachable message if it can't
> send the package to it's destination.
>
> Here is an example using IPtables. In this example the IPsec clients have
> addresses in the 10.0.1.0/24 network and they are terminated on the
> WAN-interface:
>
> iptables -A WAN_OUTPUT -m policy --dir out --pol ipsec --proto esp -j
> ACCEPT
> iptables -A WAN_OUTPUT -d 10.0.1.0/24 -j REJECT --reject-with
> icmp-admin-prohibited
>
> Explanation:
> If the package is going out an established connection ACCEPT it. If there
> is no established connection reject all packages to the IPsec network with
> SNMP-message.
>
>
> Regards,
>
> *Hans-Kristian Bakke*
>
>
>
> On Fri, Apr 13, 2012 at 21:57, Shukla, Sanjay <Sanjay.Shukla at ipc.com>wrote:
>
>>  I request you urgent help in understanding this behavior.****
>>
>> ** **
>>
>> When a connection is configured in /etc/ipsec.conf but the left side of
>> the connection is not responding (say left is unreachable) I see the ping
>> behavior as below****
>>
>> ** **
>>
>> root at ffd-ipsec-189 sanjay]# ping 10.204.74.188****
>>
>> ** **
>>
>> basically ping is stuck or blocked.****
>>
>> ** **
>>
>> ** **
>>
>> Now if I do not have a connection configured in the /etc/ipsec.conf I see
>> that the ping responds like this****
>>
>> ** **
>>
>> root at ffd-ipsec-189 sanjay]# ping 10.204.74.188****
>>
>> PING 10.204.74.188 (10.204.74.188) 56(84) bytes of data.****
>>
>> From 10.204.74.189 icmp_seq=2 Destination Host Unreachable****
>>
>> From 10.204.74.189 icmp_seq=3 Destination Host Unreachable****
>>
>> From 10.204.74.189 icmp_seq=5 Destination Host Unreachable****
>>
>> ** **
>>
>> What settings can be done for a timeout to occurs to that a program that
>> is trying to reach an ip may not be blocked forever if ipsec SA cannot be
>> established ?****
>>
>> ** **
>>
>> ** **
>>
>> My connection setting as follows****
>>
>> ** **
>>
>> #Below Are The Configuration for CCM_CCM IPSec Tunnel****
>>
>> conn LocalIP_LocalIP_10.204.74.188****
>>
>>         left=10.204.74.189****
>>
>>         leftcert=ServLcl.pem****
>>
>>         leftsendcert=yes****
>>
>>         leftupdown=/opt/ipc/security/ipsectunnel/rightdown.sh****
>>
>>         right=10.204.74.188****
>>
>>         rightid=%any****
>>
>>         keyexchange=ikev2****
>>
>>         type=transport****
>>
>>         reauth=no****
>>
>>         dpddelay=5s****
>>
>>         dpdaction=restart****
>>
>>         keyingtries=%forever****
>>
>>         auto=route****
>>
>> ** **
>>
>> regards,****
>>
>> -sanjay****
>>
>> **
>>
>> *Please consider the environment before printing this email.*
>>
>>
>> ------------------------------
>> DISCLAIMER: This e-mail may contain information that is confidential,
>> privileged or otherwise protected from disclosure. If you are not an
>> intended recipient of this e-mail, do not duplicate or redistribute it by
>> any means. Please delete it and any attachments and notify the sender that
>> you have received it in error. Unintended recipients are prohibited from
>> taking action on the basis of information in this e-mail.E-mail messages
>> may contain computer viruses or other defects, may not be accurately
>> replicated on other systems, or may be intercepted, deleted or interfered
>> with without the knowledge of the sender or the intended recipient. If you
>> are not comfortable with the risks associated with e-mail messages, you may
>> decide not to use e-mail to communicate with IPC. IPC reserves the right,
>> to the extent and under circumstances permitted by applicable law, to
>> retain, monitor and intercept e-mail messages to and from its systems.
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120426/4800fad5/attachment.html>


More information about the Users mailing list