[Openswan Users] Problem in reestablishment of an ipsec connection

Oguz Yilmaz oguzyilmazlist at gmail.com
Tue Jan 1 07:44:32 EST 2013 

Hi openswan list members,

I have restarted openswan and now I can not connect to a remote cisco
site anymore. When I tcpdump, I see esp coming from remote with old
spi.

Look at the former log of establishment of last successful vpn:

Dec 31 15:10:13 2012 pluto[21253]: \"myvpn/0x1\" #24:
STATE_QUICK_R2:IPsec SA established tunnel mode {ESP=>0x4888824c
<0x23d4417b
xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}

01:56:56.249531 IP RIGHTEXTIP >
LEFTNEXTIP:ESP(spi=0x23d4417b,seq=0x1035b), length 84
01:56:56.249531 IP RIGHTEXTIP >
LEFTNEXTIP:ESP(spi=0x23d4417b,seq=0x1035b), length 84
01:56:58.433427 IP RIGHTEXTIP >
LEFTNEXTIP:ESP(spi=0x23d4417b,seq=0x1035c), length 84
01:56:58.433427 IP RIGHTEXTIP >
LEFTNEXTIP:ESP(spi=0x23d4417b,seq=0x1035c), length 84
01:57:00.619062 IP RIGHTEXTIP >
LEFTNEXTIP:ESP(spi=0x23d4417b,seq=0x1035d), length 84

It is about 10 hours after establishment log of vpn connection.

When I restart ipsec service it tries to isakmp, but without success:

02:01:07.660885 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
Jan  1 02:01:57 2013 pluto[12814]: pending Quick Mode with RIGHTEXTIP
\"myvpn/0x1\" took too long -- replacing phase 1
Jan  1 02:01:57 2013 pluto[12814]: \"myvpn/0x1\" #44: initiating Main
Mode to replace #36

As far as I see, remote(Cisco) thinks the vpn connection is already
established and we lose the spi and try to reestablish connection. I
have no access to remote. How can I order remote to forget about old
connection? What can be better configuration for not to experience
such situation.

Thank you for your help and Happy New Year.

Oguz



Kernel is 3.5.3 with Netkey. Openswan is 2.6.33.


config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.19.32.0/24
        protostack=netkey


conn %default
        auto=add


conn myvpn
        authby=secret
        auth=esp
        esp=3des-md5-96
        left=LEFTEXTIP
        leftsubnet=10.1.0.0/16
        right=RIGHTEXTIP
        leftnexthop=LEFTEXTNEXT
        leftsourceip=10.1.1.5
        disablearrivalcheck=no
        auto=start
        keylife=86400s
        pfs=no
        ikelifetime=86400s
        keyexchange=ike
        ike=3des-md5-modp1024
        rightsubnets={10.0.0.0/8}
        dpdaction=restart_by_peer
        dpddelay=30
        dpdtimeout=120

include /etc/ipsec.d/no_oe.conf


--
Oguz YILMAZ

More information about the Users mailing list