18 May
2012
18 May
'12
10:54 a.m.
I'm load testing a kernel mode IPsec setup. When IKE SAs renegotiate
one or two IP packets get sent on the default route but after the
tunnel is back up the TCP connection remains stuck on the default
route by-passing xfrm policy until the TCP connection closes from
retransmission failures.
Ping is not affected the same way. It uses the tunnel as soon as a new
child SA is up (even while TCP is broken).
The next TCP connection uses the tunnel immediately.
What can I do to fix this?
Things I've tried that did not work:
- conntrack -D
- iptables -t raw ... -j NOTRACK # have verified the connections
never appear in conntrack state
- ip route cache flush # while a connection is stuck on the wrong path
Kernel is 2.6.32.
The TCP connections terminate on a loopback of the IPsec gateway.
Ideas?