DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Failure to renegotiate tunnel after IP address changes

More
24 Oct 2009 16:18 #58462 by njh
I have a problem with the man pages. For some reason I cannot get the ipsec.conf man page to install. All the other ones do. I found an up to date version here .

I've never tried using aggressive mode. It is not so secure and has very scathing comments about it in the Openswan docs.

I've seen your post to the Openswan mailing lists. I would not be surprised if you are asked to upgrade Openswan to 2.4.15 and/or 2.6.23 on your servers. The Openswan guys are pretty good at responding, but mainly in working hours, North American time.

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

More
28 Oct 2009 23:40 #58528 by ajsc
Well, it seems to me that I'm out of luck with using both NAT and Openswan or the Draytek routers.

No one replied to my message to the OpenSwan mailing list but, after paying attention to the latest messages in Openswan-users mailing list, I believe that OpenSwan with NAT-T cannot be trusted to perform reliably. The lack of documentation on that mode have made me pause before trying it...

I guess I'll shelve the Drayteks until I can find a use for those with static IPs on both ends on the VPN, and try OpenVPN for the Linux-Linux connections.

Please Log in or Create an account to join the conversation.

More
29 Oct 2009 07:27 #58529 by njh
There is a NAT-T issue with Openswan which they are trying to fix with 2.6.24rc which is where all the effort appears to be going. I believe the issue does not exist in 2.4.15 which is why they won't kill off the 2.4 branch for the moment. It also depends if you use KLIPS or NETKEY for your protocol stack (you have to do a special installation for the older KLIPS).

The NAT-T issue is only for certain configurations but I don't know what (something to do with bug 1004!). I have seen people with NAT-T configurations that work.

I have a feeling the devs are focussing on this NAT-T rc for the moment. It may be worth trying to ping them again and see what they say. I would do it when they are likely to be at work (Ottawa, Canada)

Did you get anywhere with my PSK configuration?

2900Gi/v2.5.6; 2900/v2.5.6

Please Log in or Create an account to join the conversation.

More
01 Nov 2009 22:52 #58594 by ajsc
No, same results when using PSK. In the meanwhile I set up openvpn and have been quite pleased with it. It's not that openvpn is simpler to configure than openswan, both require short configuration files for basic connections. But openvpn's documentation is more accessible and openvpn currently works with the "client" behind NAT and dynamic IPs!

I either had bad luck with one of the two versions or OpenSwan I was using (didn't try others) or (and this was what I suspect) there's some kind of cache or security verification in the NAT-T code which leads to rejecting a connection when the source IP seen by the peer changes. Or I may be wrong and it was caused by some oddity in a router somewhere on the network path - people are too inclined to deploy firewalls and other security software everywhere these days. And yes, I get the irony of saying this in a VPN forum. :D

I try to use only the packages supplied with the operating system, and avoid when possible using patches or newer versions - bad for maintenance. So, with an alternative available, I'm not insisting on the mailing list.
It's a pity that the drayteks do not support openvpn, but I can replace the routers with openVPN/linux running on a field computer. Thanks for the answers!

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami