[BUG 7.40x] IPSec Site-to-Site VPNs don't reconnect on reboot

BarryG · #1 (**permalink**) 06-08-2009, 11:25 PM

Continuing the thread here, previously at
http://www.astaro.org/astaro-gateway...release-2.html
and
http://www.astaro.org/closed-forums-...ostarting.html
and with support: Ticket #2009042810000389 / CaseID 00096160

Quote:

BarryG,

thanks for the logfiles and sorry for the delay. The problem you're referring to is not connected to the fix we already shipped in 7.402 and not connected to any patch included in 7.403, though. I'll need to do some guessing what could cause your problem and what could help here:

If IpsecN interface is reported as missing, there is usually a part of the configuration missing. If a part of the configuration is missing, usually one (or more) of the parameters are not present. This could i.e. mean you use a DNS definition in your IPsec connection and at the point of starting IPsec the DNS name is not resolved yet. As an alternative, the (dynamic?) interface might not be up and running at that point. Usually this should 'fix itself' once the missing part is resolved or up - but in your case this seems not to happen.

Finding the problem:
- Please make a copy of the file /var/chroot-ipsec/etc/ipsec.conf when the system is up and running.

In case this happens again, please try the following:
- check /var/chroot-ipsec/etc/ipsec.conf against the version which was ok
- check in WebAdmin if some definitions used there (e.g. interfaces, DNS hosts, ..) are unresolved
- check if pluto is running or currently being restarted i.e. by selfmon
- check if a confd restart on the shell solves your problem

I apologize for obviously not matching your problem with our fix in 7.402/7.403 and look forward to resolving that one as soon as possible.

Regards,
Marcel

I'll reboot in a few minutes and compare the files.

My remote connections are to static IP definitions, however.
The only thing that is dynamic is my internet connection at home (DHCP Fiber), but my IP doesn't change frequently, even across quick reboots.

Thanks,
Barry

BarryG · #2 (**permalink**) 06-08-2009, 11:38 PM

Also should mention that my home firewall is set to initiate, and the remote is respond only.

Just rebooted home... VPN is down...
diff'ing the old ipsec.conf vs the new one shows no difference and they both have the same md5sum

as mentioned, not using any dynamic definitions for the connection, other than the DHCP external interface, which is UP

Code:

# ps auxw |grep pluto
root      3559  0.0  0.3   4464  1692 ?        Ss   15:29   0:00 /usr/libexec/ipsec/pluto --nofork --debug-none --nocrsend --nat_traversal --keep_alive 60
root      3567  0.0  0.0   1460   300 ?        S    15:29   0:00 _pluto_adns

/etc/init.d/confdaemon restart
killed my internet connection for a minute, but the VPNs are still down.

Thanks,
Barry

Marcel · #3 (**permalink**) 06-22-2009, 08:23 AM

BarryG,

after reading the whole thread again, I must admit that it seems I was wrong with my initial diagnosis. 'IpsecN interface missing' is not a message which shows up in case one parameter is missing/unresolved. (in that case middleware would simply skip that connection when writing the ipsec.conf)

After rebooting your machine your Internet connection is (usually) directly up and running, correct? Can you check if the underlying eth interface is completetly up when the IPsecN message appears?

Regards,
Marcel

Marcel · #4 (**permalink**) 06-26-2009, 12:46 PM

BarryG,

as I understand you're using DHCP/Cable modem for Internet access you can also upgrade your system to (soft-released) 7.404 and check results again.

Best regards,
Marcel

BrucekConvergent · #5 (**permalink**) 06-26-2009, 03:34 PM

Yes, try 7.404 ... that appears to address the issue.