[ previous ] [ next ] [ threads ]
 From:  Ole Barnkob Kaas <obk at tet dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  OpenVPN weirdness
 Date:  Sat, 22 Apr 2006 19:14:02 +0200

I've been using m0n0wall for almost a year and I really like it. Tt 
works far better than most other similar tools I've encoutered. I use it 
mainly to connect remote offices to our SIP PBX. I started out with 
IPSec but as soon as I got OpenVPN to work I switched to that instead. 
It is much easier to administrate, ability to push routes, no need to 
know remote ip, etc.

As long as everything else is working as expected, operation is smooth. 
But recovery after failure is not good in 2 specific cases:

1. If the tunnel breaks and one of the phones tries to connect to the 
SIP server while the tunnel is down, that phone will not be able to 
connect to the SIP server once the tunnel is up. I have found 2 ways to 
"solve" this:

  a. Force a cold boot of the phone. The phone will do a TFTP download 
and after that operation is normal.

  b. Log in to the m0n0 and flush the state tables.

I guess that the state tables could get flushed whenever a tunnel gets 
up. But I'm not sure about the cause of this issue, so this is maybe not 
the Right Solution.

2. If the SIP service is down for some reason and one of the phones 
tries to contact the SIP server, m0n0 dies. It does not respond on any 
of the network interfaces. I haven't had chance to hook up a serial 
cable to a m0n0 which died this way to see if was still running. The 
cure is cycling the power.

I'm a bit puzzled by this one. Why should an unreachable service at the 
far end of the tunnel mess up everything (or maybe just the interfaces)?

I use the 1.2-ovpn2 image. I have tried 1.21 but PPTP fails on this one 
if I'm using OpenVPN. I have one 1.21-ovpn1 running at home though and 
the same problems applies to this one too.

I'm using the net48xx platform only. The server where all the m0n0s 
connect to is running Debian stable with OpenVPN 2.0


Ole Kaas