openswan sucks

January 9, 2014 @ 16:33

Right so in the previous article I set up an IPSec VPN between Openswan and OpenBSD’s PF. The issue with it is that any time the OpenBSD end restarted, the Openswan end had no idea this occurred, and quit working with no notification of any sort. And just running ipsec auto --down $conn; ipsec auto --up $conn didn’t work, it actually created an additional flow and SAD on the OpenBSD side, and the tunnel wouldn’t become active.

So I’m going old-school. I’m going to write a stupid hacky script to ping the OpenBSD internal endpoint from the Openswan box, and when it goes unresponsive, run ipsec auto --replace $conn && ipsec auto --up $conn to bring the tunnel back up.

See? Openswan sucks.

Feel free, by the way, to prove otherwise.