[Openswan Users] DPD and XAUTH problem

Murat Sezgin sezginmurat at gmail.com
Wed Jan 5 16:46:05 EST 2011 

Hi Paul,

I upgraded them (both server and client side) to 2.6.32 but the problem is
still here. It works fine if I don't use XAUTH. If I enabled XAUTH the issue
happens. The below is the client's log messages which may be critical for
DPD. I say "may be", because I am not very familiar with the code.

Have you ever tested openswan's DPD feature with XAUTH enabled? I read from
the ipsec.conf man page that the xauth connections cannot to rekey, so I
also disabled the rekey on the both sides, but it also did not help. Why I
did this? Because on the client side side I see ""xauthclient" #2: DPD:
could not find newest phase 1 state", and some google searches took me to
disable rekey.

Regards,
Murat

Jan  5 13:27:40 xxxxx-laptop pluto[11823]: |   31 bc 27 bb  76 4f 1e 84  8f
7c 21 02  99 53 ba 5a
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | unpadded size is: 20
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | emitting 12 zero bytes of
encryption padding into ISAKMP Message
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | encrypting 32 using
OAKLEY_AES_CBC
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | next IV:  e8 41 37 50  87 a0 ce
2a  1e 58 44 f0  b1 9c 52 21
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | emitting length of ISAKMP
Message: 60
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | inR1_outI2: instance
xauthclient[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2)
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | ICOOKIE:  06 b9 09 7c  a0 c2 b4
5c
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | RCOOKIE:  6c ec 8b 27  c2 9f fd
ba
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | state hash entry 30
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | v1 peer and cookies match on
#2, provided msgid 00000000 vs 903dd311
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | v1 peer and cookies match on
#1, provided msgid 00000000 vs 00000000
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | v1 state object #1 found, in
STATE_XAUTH_I1
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: Dead Peer
Detection (RFC 3706): enabled
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | state: 2 requesting event none
to be deleted by
/home/xxxxx/Downloads/openswan-2.6.32/programs/pluto/dpd.c:162
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | inserting event EVENT_DPD,
timeout in 30 seconds for #2
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | event added after event
EVENT_DPD for #1
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | state: 1 requesting event
EVENT_DPD to be deleted by
/home/xxxxx/Downloads/openswan-2.6.32/programs/pluto/dpd.c:174
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | complete state transition with
STF_OK
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | deleting event for #2
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | sending reply packet to
192.168.2.142:500 (from port 500)
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | sending 60 bytes for
STATE_QUICK_I1 through eth0:500 to 192.168.2.142:500 (using #2)
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: |   06 b9 09 7c  a0 c2 b4 5c  6c
ec 8b 27  c2 9f fd ba
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: |   08 10 20 01  90 3d d3 11  00
00 00 3c  af 7f fc a6
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: |   c2 77 31 62  69 14 26 ae  93
39 fd f1  e8 41 37 50
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: |   87 a0 ce 2a  1e 58 44 f0  b1
9c 52 21
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | inserting event
EVENT_SA_REPLACE, timeout in 28118 seconds for #2
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | event added after event
EVENT_REINIT_SECRET
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x2084c974 <0x09c7f7f1
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | modecfg pull: noquirk
policy:push not-client
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | phase 1 is done, looking for
phase 2 to unpend
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | complete state transition with
STF_INLINE
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | * processed 0 messages from
cryptographic helpers
Jan  5 13:27:40 xxxxx-laptop pluto[11823]: | next event EVENT_DPD in 30
seconds for #2



On Tue, Jan 4, 2011 at 6:50 PM, Paul Wouters <paul at xelerance.com> wrote:

> On Tue, 4 Jan 2011, Murat Sezgin wrote:
>
>  The client's version is; Openswan U2.6.26/K2.6.35-24-generic (netkey)
>> The server's version is: 2.6.24rc4
>>
>
>  Both DPD and XAUTH are enabled. The connection is established
>> successfully, but when I unplug the cables between the peers, the client
>> does not timeout after the DPD timeout value. I see the below logs in the
>>
>
> Plese upgrade to 2.6.31 or 2.6.32. There were some DPD fixes that were
> brought in in those versions.
>
>
>  My client's ipsec.conf  file is as below:
>>
>
>          dpddelay=30
>>         dpdtimeout=120
>>         dpdaction=hold
>>
>
> You probably want dpdaction=restart ?
>
> On the serve ryou want dpdaction=clear
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110105/170df0cf/attachment.html

More information about the Users mailing list