<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hello List,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am seeing the following set of prints in my debug log (see
below) associated with a failure to renegotiate my VPN tunnel. This
happens on the third re-negotiation of the SA after the initial establishment
of the VPN tunnel. In other words, the tunnel is initiated and comes up
fine – in this example, the initial establishment of the tunnel occurred
at around 3:30 a.m.. The keylife=12h on the local side and is set to 6
hours on the remote end (remote end is a Cisco aggregator). So the
scenario is as follows: The tunnel comes up, it renegotiates at around 6
hours as it should, then again at 12 hours as it should (these renegotiations
are initiated by the Cisco), then at the 18 hour mark this happens;
xxx.xxx.xxx.xxx is the Cisco:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947] method set
to=110 <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: ignoring unknown Vendor ID payload [bunchoflettersandnumberslike235lks6dkn78glknsoijf]<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
meth=106, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: "IPSECTUNNEL"
#5: responding to Main Mode<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: "IPSECTUNNEL"
#5: policy mandates Extended Authentication (XAUTH) with PSK of responder (we
are responder). Attribute OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 Last line repeated 1
time(s).<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: "IPSECTUNNEL"
#5: policy mandates Extended Authentication (XAUTH) with RSA of responder (we
are responder). Attribute OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: "IPSECTUNNEL"
#5: no acceptable Oakley Transform<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: "IPSECTUNNEL"
#5: sending notification NO_PROPOSAL_CHOSEN to xxx.xxx.xxx.xxx:500<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><i><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial;font-style:italic'>(then, it repeats)<o:p></o:p></span></font></i></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947] method set
to=110 <o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: ignoring unknown Vendor ID payload [samebunchoflettersandnumbersasthefirsttime2]<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
meth=108, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: "IPSECTUNNEL"
#6: responding to Main Mode<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: "IPSECTUNNEL"
#6: policy mandates Extended Authentication (XAUTH) with PSK of responder (we
are responder). Attribute OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 Last line repeated 1
time(s).<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: "IPSECTUNNEL"
#6: policy mandates Extended Authentication (XAUTH) with RSA of responder (we
are responder). Attribute OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: "IPSECTUNNEL"
#6: no acceptable Oakley Transform<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: "IPSECTUNNEL"
#6: sending notification NO_PROPOSAL_CHOSEN to xxx.xxx.xxx.xxx:500<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am seeing this occur on multiple devices that are
connecting to this Cisco aggregator. NAT-T is enabled on the Cisco aggregator
(prime suspect of the problem, based on these debug prints), and on the local
device. I have tried disabling it on the local device since it is not
needed, but I need to have it enabled on the Cisco for other devices that do
need it.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any idea on why the initial connection is successful, along
with the renegotiations at the first two 6 hour intervals, and then it fails in
this manner? <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Openswan KLIPS IPsec stack version: 2.4.6., I can provide
more info if needed.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Thanks,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>John<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<DIV><P><HR>
This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Transaction Network Services. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.<BR>
</P></DIV>
</body>
</html>