<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.2627" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2><FONT face="Times New Roman" size=3>>
<BR>>> Apr 28 06:38:46 dogbert ipsec_setup: WARNING: cannot flush
state/policy database -- `%defaultroute'. Install a newer version o<BR>>>
f iproute/iproute2 or install the ipsec-tools package to obtain the setkey
command.<BR>> <BR>> The error is quite clear.</FONT><BR></FONT></DIV>
<DIV><FONT face=Arial size=2>Installing ipsec-tools removed the warning, but the
behaviour of ipsec is the same. I guess a dive into docs is required. Any tip is
appreciated.</FONT></DIV>
<DIV><FONT face=Arial size=2>Many thanks</FONT></DIV>
<DIV><FONT face=Arial size=2>Ole M.</FONT></DIV>
<DIV> </DIV>
<DIV>----- Original Message ----- </DIV>
<DIV style="FONT: 10pt arial">
<DIV style="BACKGROUND: #e4e4e4; font-color: black"><B>From:</B> <A
title=olemotor@gmail.com href="mailto:olemotor@gmail.com">Ole Morten</A> </DIV>
<DIV><B>To:</B> <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV><B>Sent:</B> Thursday, April 28, 2005 9:57 AM</DIV>
<DIV><B>Subject:</B> Unstable tunnel</DIV></DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Hi,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have been using FreeSWAN 2.06 on a Mandrake Linux
with kernel 2.4.25. Three tunnels are configured, two of them connects via
a Nortel Contivity 1010, and for these tunnels I experience annoying outages
approx. every hour. Every outage last about 1-5 minutes.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have tested OpenSWAN 2.3.0 1rhel.i386 rpm and
OpenSWAN 2.3.1 for fc3 together with kernels 2.4.25, 2.6.3, 2.6.8 and 2.6.11.
The behaviour is pretty much the same on all kernel versions.
ipsec.conf (see below) is not changed from the FreeSWAN setup and the
3 tunnels are up, however those to the Nortel box will stop working
after a few hours. The two tunnels do never seem to fail at the same time. The
tunnels may reestablish automatically after a couple of hours, or if the
ipsec service is restarted it works immediately. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>The one tunnel that fails mostly have more traffic,
maybe that is part of the reason? Any help is highly appreciated.</FONT></DIV>
<DIV><FONT face=Arial size=2>Regards</FONT></DIV>
<DIV><FONT face=Arial size=2>Ole</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>ipsec.conf (public addresses are
changed)</FONT></DIV>
<DIV>version 2.0<BR><BR>conn
%default<BR>left=183.212.134.154<BR>leftnexthop=%defaultroute<BR>
leftid=183.212.134.154<BR>right=111.212.125.6<BR>rightsubnet=10.0.0.0/8<BR>rightnexthop=<BR>rightid=111.212.125.6<BR>type=tunnel<BR>auto=start<BR>keyexchange=ike<BR>auth=esp<BR>authby=secret<BR>pfs=yes<BR>conn
main_off_1<BR>leftsubnet=10.100.5.0/24<BR>conn
main_off_2<BR>
leftsubnet=10.100.5.0/24<BR>
right=204.110.137.189<BR>
rightsubnet=10.100.7.0/24<BR>
rightid=204.110.137.189<BR>conn
main_off_3<BR>
leftsubnet=10.100.5.0/24<BR>
right=204.110.137.189<BR>
rightsubnet=10.100.8.0/24<BR>
rightid=204.110.137.189<BR>conn block<BR>
auto=ignore<BR>conn private<BR>
auto=ignore<BR>conn private-or-clear<BR>
auto=ignore<BR>conn clear-or-private<BR>
auto=ignore<BR>conn clear<BR>
auto=ignore<BR>conn packetdefault<BR>
auto=ignore<BR></DIV>
<DIV><FONT face=Arial size=2>Log when starting OpenSWAN 2.3.1 (after this I
upgraded iproute2 to version 2.6.10)</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<DIV><FONT face=Arial size=2>Apr 28 06:38:46 dogbert kernel: NET: Unregistered
protocol family 15<BR>Apr 28 06:38:46 dogbert ipsec_setup: ...Openswan IPsec
stopped<BR>Apr 28 06:38:46 dogbert ipsec_setup: Stopping Openswan
IPsec...<BR>Apr 28 06:38:46 dogbert kernel: NET: Registered protocol family
15<BR>Apr 28 06:38:46 dogbert kernel: Initializing IPsec netlink socket<BR>Apr
28 06:38:46 dogbert ipsec_setup: WARNING: cannot flush state/policy database --
`%defaultroute'. Install a newer version o<BR>f iproute/iproute2 or install the
ipsec-tools package to obtain the setkey command.<BR>Apr 28 06:38:46 dogbert
ipsec_setup: KLIPS ipsec0 on eth0 <FONT face="Times New Roman"
size=3>183.212.134.154</FONT>/255.255.255.252 broadcast <FONT
face="Times New Roman" size=3>183.212.134.155</FONT><BR>Apr 28 06:38:46 dogbert
ipsec_setup: ...Openswan IPsec started<BR>Apr 28 06:38:47 dogbert ipsec_setup:
Starting Openswan IPsec 2.3.1...<BR>Apr 28 06:38:47 dogbert ipsec_setup: insmod
/lib/modules/2.6.11-1mdksmp/kernel/net/key/af_key.ko.gz<BR>Apr 28 06:38:47
dogbert ipsec_setup: insmod
/lib/modules/2.6.11-1mdksmp/kernel/net/ipv4/xfrm4_tunnel.ko.gz<BR>Apr 28
06:38:47 dogbert ipsec_setup: insmod
/lib/modules/2.6.11-1mdksmp/kernel/net/xfrm/xfrm_user.ko.gz<BR>Apr 28 06:38:47
dogbert ipsec_setup: ipsec_setup: WARNING: cannot flush state/policy database --
`%defaultroute'. Install a ne<BR>wer version of iproute/iproute2 or install the
ipsec-tools package to obtain the setkey command.<BR>Apr 28 06:38:47 dogbert
ipsec__plutorun: 104 "main_off_1" #1: STATE_MAIN_I1: initiate<BR>Apr 28 06:38:47
dogbert ipsec__plutorun: ...could not start conn "main_off_1"<BR>Apr 28 06:38:48
dogbert ipsec__plutorun: 104 "main_off_2" #2: STATE_MAIN_I1: initiate<BR>Apr 28
06:38:48 dogbert ipsec__plutorun: ...could not start conn
"main_off_2"<BR></FONT></DIV>
<DIV><FONT face=Arial size=2>
<DIV><FONT face=Arial size=2>When the failure occured on
2.3.0 /var/log/secure sometimes (not always) show the
following:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: next payload type
of ISAKMP Hash Payload has an unknown value: 19<BR>Apr 26 15:57:19 dogbert
pluto[30737]: "main_off_3" #12: malformed payload in packet<BR>Apr 26 15:57:19
dogbert pluto[30737]: "main_off_3" #12: sending notification PAYLOAD_MALFORMED
to 204.110.137.189:500<BR>Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3"
#12: next payload type of ISAKMP Hash Payload has an unknown value: 99<BR>Apr 26
15:57:19 dogbert pluto[30737]: "main_off_3" #12: malformed payload in
packet<BR>Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: sending
notification PAYLOAD_MALFORMED to 204.110.137.189:500<BR>Apr 26 15:57:19 dogbert
pluto[30737]: "main_off_3" #12: byte 2 of ISAKMP Hash Payload must be zero, but
is not<BR>Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: malformed
payload in packet<BR>Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12:
sending notification PAYLOAD_MALFORMED to
204.110.137.189:500<BR></DIV></DIV></FONT></DIV></BODY></HTML>