IPSec with Multi-Wan

Macom2007

Hi,

i have IPSec working in a Multi-Wan environment except one thing. After primary Gateway gets down, i have to restart racoon manually because of the old SAD and SPD entries. Is there a way to automate this ?

Regards

Macom

jimp

How did you have it working? Using a failover group as the interface?

We have worked a lot on the failover/failback code this week, it's possible some of the latest fixes (including one I just pushed about 20 minutes ago) will help with this.

Macom2007

Yes, i use a failover group. I  am going to get the latest snapshot now to see if your latest changes are fine …

Best regards

Macom

Macom2007

It is not working with latest snapshot. After primary wan failure the IPSec tunnel gets refreshed and the SAD gets also fine. But the SPD stays on the old tunnel endpoints.

After a manual restart of racoon on the multi-wan side the tunnel is up after 1 minute.

I am in snapshot :

2.1-BETA0 (i386)
built on Fri Sep 14 08:11:09 EDT 2012

Macom2007

@jimp:

How did you have it working? Using a failover group as the interface?

We have worked a lot on the failover/failback code this week, it's possible some of the latest fixes (including one I just pushed about 20 minutes ago) will help with this.

Maybe it is a timing issue. The logs show that first the IPSec tunnel is reloading and then the DynDns update is performed ?

Sep 16 11:26:13 php: : phpDynDNS (hummel1.dyndns.org): (Success) IP Address Changed Successfully! (77.22.xxx.xxx)
Sep 16 11:26:13 php: : phpDynDNS: updating cache file /conf/dyndns_Internet_Pooldyndns'hummel1.dyndns.org'0.cache: 77.22.xxx.xxx
Sep 16 11:26:13 php: : DynDns debug information (hummel1.dyndns.org): 77.22.xxx.xxx extracted from local system.
Sep 16 11:26:13 php: : DynDNS (hummel1.dyndns.org): Current Service: dyndns
Sep 16 11:26:13 php: : DynDNS (hummel1.dyndns.org): DynDns _checkStatus() starting.
Sep 16 11:26:12 php: : MONITOR: TKRZ_GW is down, removing from routing group
Sep 16 11:26:12 php: : DynDNS (hummel1.dyndns.org): DynDns _update() starting.
Sep 16 11:26:12 php: : DynDns debug information (hummel1.dyndns.org): DynDns: cacheIP != wan_ip. Updating. Cached IP: 188.64.xxx.xxx WAN IP: 77.22.xxx.xxx
Sep 16 11:26:12 php: : DynDns (hummel1.dyndns.org): Current WAN IP: 77.22.xxx.xxx Cached IP: 188.64.xxx.xxx
Sep 16 11:26:12 php: : DynDns debug information (hummel1.dyndns.org): 77.22.xxx.xxx extracted from local system.
Sep 16 11:26:12 php: : MONITOR: TKRZ_GW is down, removing from routing group
Sep 16 11:26:12 php: : MONITOR: TKRZ_GW is down, removing from routing group
Sep 16 11:26:12 php: : DynDNS (hummel1.dyndns.org): running get_failover_interface for Internet_Pool. found re2
Sep 16 11:26:12 php: : MONITOR: TKRZ_GW is down, removing from routing group
Sep 16 11:26:12 php: : DynDns debug information (hummel1.dyndns.org): 77.22.xxx.xxx extracted from local system.
Sep 16 11:26:12 php: : MONITOR: TKRZ_GW is down, removing from routing group
Sep 16 11:26:12 php: : DynDns: updatedns() starting
Sep 16 11:26:12 php: : MONITOR: TKRZ_GW is down, removing from routing group
Sep 16 11:26:12 php: : IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.

Macom2007

I got it working. I modified the rc.newipsecdns script in /etc. I added

sleep(15) and
vpn_ipsec_force_reload();

This is my working version :

#!/usr/local/bin/php -f
/*
$Id$
part of m0n0wall (http://m0n0.ch/wall)

Copyright (C) 2007 Manuel Kasper mk@neon1.net.
Copyright (C) 2009 Seth Mos seth.mos@dds.nl.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the above copyright notice,
  this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the above copyright
  notice, this list of conditions and the following disclaimer in the
  documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/

/* parse the configuration and include all functions used below */
require_once("config.inc");
require_once("functions.inc");
require_once("filter.inc");
require_once("shaper.inc");
require_once("ipsec.inc");
require_once("vpn.inc");
require_once("util.inc");

/* make sure to wait until the boot scripts have finished */
while (file_exists("{$g['varrun_path']}/booting")) {
sleep(1);
}
$ipseclck = lock('ipsecdns', LOCK_EX);

if(isset($config['ipsec']['enable']))
{
sleep(15);
log_error("IPSEC: One or more IPsec tunnel endpoints has changed its IP. Refreshing.");

}
/* We will walk the list of hostnames found in the ipsec tunnel

• configuration. Since we are already triggered by filterdns
• that a hostname has changed we can proceed to compare the
• new IP address with the old address from the DNS cache.
  */
  vpn_ipsec_configure();
  vpn_ipsec_refresh_policies();
  vpn_ipsec_force_reload();
  unlock($ipseclck);
  ?>/seth.mos@dds.nl/mk@neon1.net