Hi folks, I would highly appreciate some feedback about this. Is it unreasonable to expect that the IPsec payload should not be affected by the slow updown script?
All the road warrior Macs and Iphones do VPN-on-demand. Currently the IPsec connection succeeds, but the DNS lookup (the "demand" in this case) fails. You might imagine that this affects a lot of tools (calendar lookup, EMail, etc.) From the user's point of view this is the difference between "works" and "doesn't work". Thanx very much Harri On 07/04/16 09:33, Harald Dunkel wrote: > PS: I found out a little bit more. If there is a new connection > initiated by a road warrior, then /var/log/messages shows me > > Jul 4 08:55:03 srvl047 kernel: [73014.164939] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=23018 PROTO=UDP > SPT=50374 DPT=53 LEN=47 > Jul 4 08:55:03 srvl047 kernel: [73014.164948] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=67 TOS=0x00 PREC=0x00 TTL=254 ID=21954 PROTO=UDP > SPT=62524 DPT=53 LEN=47 > Jul 4 08:55:03 srvl047 kernel: [73014.165334] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=383 PROTO=UDP > SPT=64310 DPT=53 LEN=46 > Jul 4 08:55:03 srvl047 kernel: [73014.165340] iptables-dropped: IN=eth0 > OUT=eth1 MAC=80:ee:73:a2:e6:17:00:00:5e:00:01:3d:08:00 SRC=172.19.97.87 > DST=172.19.96.123 LEN=66 TOS=0x00 PREC=0x00 TTL=254 ID=41664 PROTO=UDP > SPT=50876 DPT=53 LEN=46 > Jul 4 08:55:03 srvl047 vpn: + C=DE, O=example AG, OU=TI, > CN=ppcm026.ws.example.com 172.19.97.87/32 == 5.145.142.13 -- 5.145.142.17 == > 172.19.96.0/19 > > I know that the sequence in the log file might not match the > actual sequence of events, but I wonder if there could be a > race condition? > > Is there some way to introduce an artificial "new connection > delay" for the very first packages to give the firewall some > time to come up? > > https://wiki.strongswan.org/projects/strongswan/wiki/Updown > suggests to introduce global iptable entries instead of > setting leftfirewall=yes. Both source and destination address > in the "iptables-dropped" lines are valid on eth1 (the > internal side) only. I wouldn't like to support global > forward rules between eth0 and eth1. Maybe there is a way to > introduce a virtual network device to be used exclusively for > the VPN payload, instead of eth0? > > > Every helpful comment is highly appreciated. Regards > > Harri > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
