[Swan] OnDemand connection torn down by DPD results in "no routed template"

Paul Wouters paul at nohats.ca
Wed Dec 5 19:24:03 UTC 2018 

3.15 is really old. Please upgrade and let us know if the problem is still there.

You can find RHEL/centos 6 binaries of newer versions at download.libreswan.org/binaries/rhel/6/

Paul

Sent from mobile device

> On Dec 5, 2018, at 14:01, Matthew Johnson <matthew.f.j at gmail.com> wrote:
> 
> Hi,
> 
> I'm running Linux Libreswan 3.15 (netkey) on 2.6.32-754.2.1.el6.x86_64
> 
> In my test lab, I've noticed that when my OnDemand connections are torn down due to DPD, subsequent connection attempts (once the server is available again) result in " no routed template covers this pair ". For example:
> 
> 10.1.190.96/32:47060 -17-> 10.1.190.201/32:1025 => %hold 0    no routed template covers this pair
> 
> West:
> conn conman-client
>         right=10.1.190.84
>         rightsubnet=10.1.190.201/32
>         also=tunneled-client_default
>         auto=route
> 
> conn tunneled-client_default
>         type=tunnel
>         authby=null
>         left=%defaultroute
>         negotiationshunt=hold
>         failureshunt=drop
>         ikev2=insist
>         dpddelay=2
>         dpdtimeout=8
>         #dpdactions=(hold|clear|restart)
>         dpdaction=clear
>         rekey=yes
>         keyingtries=4
>         retransmit-timeout=5
>         forceencaps=yes
>         leftmodecfgclient=yes
>         rightmodecfgserver=yes
>         modecfgpull=yes
> 
> East:
> conn conman-server_120
>         right=10.1.190.120
>         also=conman-server_default
>         auto=add
> 
> conn conman-server_default
>         type=tunnel
>         authby=null 
>         leftid=10.1.190.84
>         left=%defaultroute
>         leftsubnet=10.1.190.201/32
>         leftsourceip=10.1.190.201
>         rightaddresspool=10.1.190.244-10.1.190.254
>         negotiationshunt=hold 
>         failureshunt=drop 
>         ikev2=insist 
>         dpddelay=2
>         dpdtimeout=8
>         #dpdactions=(hold|clear|restart) 
>         dpdaction=clear
>         rekey=yes
>         keyingtries=4
>         retransmit-timeout=5
>         narrowing=yes 
>         forceencaps=yes
>         leftmodecfgserver=yes
>         rightmodecfgclient=yes
>         modecfgpull=yes
> 
> 
> The only way to recover from this state that I've discovered is to restart IPSec. I suspect this is a bug related to the version I'm using. However, is there a more elegant way to recover? For example, I could perhaps add some directive to the updown script?
> 
> Best regards,
> 
> Matt
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20181205/9002f0e7/attachment.html>

More information about the Swan mailing list