[vpn-help] tunnel needs one initial ping
Andreas Hoppe
hoppe at ha-systems.de
Mon Nov 15 23:15:24 CST 2010
Thank you Mathhew,
I ffound out, that the bash-script works just fine so it did noz search
for another solution. :-)
But now I know why I'll have to work with the script.
Thanks!
Andreas
Am 16.11.2010 05:18, schrieb Matthew Grooms:
> On 10/16/2010 1:25 PM, Andreas Hoppe wrote:
>> HI,
>>
>> after solving the compile-problem, I could establish a tunnel to the
>> network behind the Fritz!Box 7270 through the internet.
>>
>
> ...
>
>> After the second ping (the "reciebed ping") I can use the network as it
>> should be.
>>
>> For now, I start the tunnel with a bash-script that pings the foreign
>> network after establishing the tunnel. But this is only a workaround.
>>
>> Is the "ping-problem" a known problem? I use the newest version of
>> shrew.
>>
>
> The "ping-problem" is just the way IPsec works on Linux and BSD OS's.
> When an IPsec connection is established, an ISAKMP SA is created along
> with IPsec policies. IPsec SA's ( the ones used to protect actual user
> traffic ) isn't negotiated until packets match an IPsec policy. The
> kernel then requests that an SA be negotiated to protect the traffic.
> Sometimes there is a noticeable delay between when the first packet
> hits matches a policy and when a mature SA is available to protect the
> network traffic. On BSD systems, the packet is cached and is forwarded
> when the SA becomes available. I'm not sure if this is the case on
> Linux or not. Chances are, if you started a TCP connection, it would
> also work but you may have to wait around for a retry to occur before
> the packets would actually traverse the VPN tunnel.
>
> -Matthew
>
>
--
Dipl.-Ing. Andreas Hoppe
An der Acher 35
77855 Achern
T.: 07841 / 601975
More information about the vpn-help
mailing list