I of course meant ICMP not SNMP. This has the effect of working for all traffic destined for not-established IPsec tunnels, not only ping, speeding up everything.
Regards, *Hans-Kristian Bakke* On Thu, Apr 26, 2012 at 09:27, Hans-Kristian Bakke <[email protected]>wrote: > This is actually easy to solve using normal "network" behaviour, that is > making the IPSec gateway respond with SNMP unreachable message if it can't > send the package to it's destination. > > Here is an example using IPtables. In this example the IPsec clients have > addresses in the 10.0.1.0/24 network and they are terminated on the > WAN-interface: > > iptables -A WAN_OUTPUT -m policy --dir out --pol ipsec --proto esp -j > ACCEPT > iptables -A WAN_OUTPUT -d 10.0.1.0/24 -j REJECT --reject-with > icmp-admin-prohibited > > Explanation: > If the package is going out an established connection ACCEPT it. If there > is no established connection reject all packages to the IPsec network with > SNMP-message. > > > Regards, > > *Hans-Kristian Bakke* > > > > On Fri, Apr 13, 2012 at 21:57, Shukla, Sanjay <[email protected]>wrote: > >> I request you urgent help in understanding this behavior.**** >> >> ** ** >> >> When a connection is configured in /etc/ipsec.conf but the left side of >> the connection is not responding (say left is unreachable) I see the ping >> behavior as below**** >> >> ** ** >> >> root@ffd-ipsec-189 sanjay]# ping 10.204.74.188**** >> >> ** ** >> >> basically ping is stuck or blocked.**** >> >> ** ** >> >> ** ** >> >> Now if I do not have a connection configured in the /etc/ipsec.conf I see >> that the ping responds like this**** >> >> ** ** >> >> root@ffd-ipsec-189 sanjay]# ping 10.204.74.188**** >> >> PING 10.204.74.188 (10.204.74.188) 56(84) bytes of data.**** >> >> From 10.204.74.189 icmp_seq=2 Destination Host Unreachable**** >> >> From 10.204.74.189 icmp_seq=3 Destination Host Unreachable**** >> >> From 10.204.74.189 icmp_seq=5 Destination Host Unreachable**** >> >> ** ** >> >> What settings can be done for a timeout to occurs to that a program that >> is trying to reach an ip may not be blocked forever if ipsec SA cannot be >> established ?**** >> >> ** ** >> >> ** ** >> >> My connection setting as follows**** >> >> ** ** >> >> #Below Are The Configuration for CCM_CCM IPSec Tunnel**** >> >> conn LocalIP_LocalIP_10.204.74.188**** >> >> left=10.204.74.189**** >> >> leftcert=ServLcl.pem**** >> >> leftsendcert=yes**** >> >> leftupdown=/opt/ipc/security/ipsectunnel/rightdown.sh**** >> >> right=10.204.74.188**** >> >> rightid=%any**** >> >> keyexchange=ikev2**** >> >> type=transport**** >> >> reauth=no**** >> >> dpddelay=5s**** >> >> dpdaction=restart**** >> >> keyingtries=%forever**** >> >> auto=route**** >> >> ** ** >> >> regards,**** >> >> -sanjay**** >> >> ** >> >> *Please consider the environment before printing this email.* >> >> >> ------------------------------ >> DISCLAIMER: This e-mail may contain information that is confidential, >> privileged or otherwise protected from disclosure. If you are not an >> intended recipient of this e-mail, do not duplicate or redistribute it by >> any means. Please delete it and any attachments and notify the sender that >> you have received it in error. Unintended recipients are prohibited from >> taking action on the basis of information in this e-mail.E-mail messages >> may contain computer viruses or other defects, may not be accurately >> replicated on other systems, or may be intercepted, deleted or interfered >> with without the knowledge of the sender or the intended recipient. If you >> are not comfortable with the risks associated with e-mail messages, you may >> decide not to use e-mail to communicate with IPC. IPC reserves the right, >> to the extent and under circumstances permitted by applicable law, to >> retain, monitor and intercept e-mail messages to and from its systems. >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users >> > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
