[vpn-help] tunnel needs one initial ping
Matthew Grooms
mgrooms at shrew.net
Mon Nov 15 22:18:57 CST 2010
On 10/16/2010 1:25 PM, Andreas Hoppe wrote:
> HI,
>
> after solving the compile-problem, I could establish a tunnel to the
> network behind the Fritz!Box 7270 through the internet.
>
...
> After the second ping (the "reciebed ping") I can use the network as it
> should be.
>
> For now, I start the tunnel with a bash-script that pings the foreign
> network after establishing the tunnel. But this is only a workaround.
>
> Is the "ping-problem" a known problem? I use the newest version of shrew.
>
The "ping-problem" is just the way IPsec works on Linux and BSD OS's.
When an IPsec connection is established, an ISAKMP SA is created along
with IPsec policies. IPsec SA's ( the ones used to protect actual user
traffic ) isn't negotiated until packets match an IPsec policy. The
kernel then requests that an SA be negotiated to protect the traffic.
Sometimes there is a noticeable delay between when the first packet hits
matches a policy and when a mature SA is available to protect the
network traffic. On BSD systems, the packet is cached and is forwarded
when the SA becomes available. I'm not sure if this is the case on Linux
or not. Chances are, if you started a TCP connection, it would also work
but you may have to wait around for a retry to occur before the packets
would actually traverse the VPN tunnel.
-Matthew
More information about the vpn-help
mailing list