Hi Guys, I have a tunnel established between a Cisco PIX-535 and a Linux <a href="http://2.6.16.20"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "2.6.16.20" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 2.6.16.20</a> with openswan using ipsec from kernel.<br>The tunnel connects and work fine, but it reconnects constantly (sometimes more than twice an hour).
<br>It's configured to renegotiate every 12 hours. How can I find out what's going on ?<br><br>This is part of the /var/log/secure message log.<br><br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: responding to Main Mode
<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: STATE_MAIN_R1: sent MR1, expecting MI2
<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: received Vendor ID payload [Cisco-Unity]<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: received Vendor ID payload [XAUTH]<br>
Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: ignoring unknown Vendor ID payload [c45c723bb8acbc3d7c837d7f8ae15317]<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: ignoring Vendor ID payload [Cisco VPN 3000 Series]
<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: STATE_MAIN_R2: sent MR2, expecting MI3
<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: received Vendor ID payload [Dead Peer Detection]<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: Main mode peer ID is ID_IPV4_ADDR: '
<a href="http://200.41.49.4"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "200.41.49.4" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 200.41.49.4</a>'<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: I did not send a certificate because I do not have one.<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
<br>Jul 20 11:32:30 routertech pluto[1788]: "tunnelipsec" #23: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>Jul 20 11:33:00 routertech pluto[1788]: "tunnelipsec" #22: received Delete SA payload: deleting ISAKMP State #22
<br>Jul 20 11:33:00 routertech pluto[1788]: packet from <a href="http://200.41.49.4:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "200.41.49.4:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 200.41.49.4:500</a>: received and ignored informational message<br>Jul 20 14:12:53 routertech pluto[1788]: "tunnelipsec" #24: responding to Quick Mode {msgid:773e767c}
<br>Jul 20 14:12:53 routertech pluto[1788]: "tunnelipsec" #24: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1<br>Jul 20 14:12:53 routertech pluto[1788]: "tunnelipsec" #24: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
<br>Jul 20 14:12:53 routertech pluto[1788]: "tunnelipsec" #24: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2<br>Jul 20 14:12:53 routertech pluto[1788]: "tunnelipsec" #24: STATE_QUICK_R2: IPsec SA established {ESP=>0xb25da4b6 <0xa31abee1 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}
<br>Jul 20 14:12:54 routertech pluto[1788]: "tunnelipsec" #23: received Delete SA(0x94171360) payload: deleting IPSEC State #21<br>Jul 20 14:12:54 routertech pluto[1788]: "tunnelipsec" #23: received and ignored informational message
<br>Jul 20 14:32:28 routertech pluto[1788]: packet from <a href="http://200.41.49.4:500"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "200.41.49.4:500" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 200.41.49.4:500</a>: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: responding to Main Mode
<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: STATE_MAIN_R1: sent MR1, expecting MI2
<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: received Vendor ID payload [Cisco-Unity]<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: received Vendor ID payload [XAUTH]<br>
Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: ignoring unknown Vendor ID payload [851d999c69cc6331f37657efa51460c5]<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: ignoring Vendor ID payload [Cisco VPN 3000 Series]
<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>Jul 20 14:32:28 routertech pluto[1788]: "tunnelipsec" #25: STATE_MAIN_R2: sent MR2, expecting MI3
<br>Jul 20 14:32:29 routertech pluto[1788]: "tunnelipsec" #25: received Vendor ID payload [Dead Peer Detection]<br>Jul 20 14:32:29 routertech pluto[1788]: "tunnelipsec" #25: Main mode peer ID is ID_IPV4_ADDR: '
<a href="http://200.41.49.4"></b></font><font color="red"><b>MailScanner has detected a possible fraud attempt from "200.41.49.4" claiming to be</b></font> <font color="red"><b>MailScanner warning: numerical links are often malicious: 200.41.49.4</a>'<br>Jul 20 14:32:29 routertech pluto[1788]: "tunnelipsec" #25: I did not send a certificate because I do not have one.<br>Jul 20 14:32:29 routertech pluto[1788]: "tunnelipsec" #25: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
<br>Jul 20 14:32:29 routertech pluto[1788]: "tunnelipsec" #25: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}<br>Jul 20 14:32:58 routertech pluto[1788]: "tunnelipsec" #23: received Delete SA payload: deleting ISAKMP State #23
<br><br><br>Please let me know if you need more info or to enable more detail in the logs.<br><br>Best Regards, Pablo<br>