Hi Sanjay, > When a connection is configured in /etc/ipsec.conf but the left side of > the connection is not responding (say left is unreachable) I see the > ping behavior as below > > root@ffd-ipsec-189 sanjay]# ping 10.204.74.188 > > basically ping is stuck or blocked.
That's due to auto=route. The latter installs a trap policy in the kernel which defines that traffic to your target host *must* be encrypted. So unless the IPsec SA can be established those packets are silently swallowed by the Linux kernel (it won't attempt to send them unencrypted). > Now if I do not have a connection configured in the /etc/ipsec.conf I > see that the ping responds like this > > root@ffd-ipsec-189 sanjay]# ping 10.204.74.188 > PING 10.204.74.188 (10.204.74.188) 56(84) bytes of data. > From 10.204.74.189 icmp_seq=2 Destination Host Unreachable What ping receives is basically an ICMP response generated by your own host when it fails to successfully do an ARP lookup for your destination address, which is in the same subnet (it that were not the case some intermediate router would send such a response). Since auto=route prevents the packet from being sent (no ARP lookup will be done) you won't get any such response. > What settings can be done for a timeout to occurs to that a program that > is trying to reach an ip may not be blocked forever if ipsec SA cannot > be established ? Well, that's up to the application trying to communicate with your remote host. For ping you can try the -w option. Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
