<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{mso-style-type:personal;
font-family:Arial;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Hello List,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I have been digging into this a little
more. It appears that the Cisco in question here has multiple policies
defined in its configuration, and that that may be what is at the root of this
problem. Also, I’m leaning toward an expiration of the IKE timer rather
than a renegotiation of the IPSec SA... both ends have the IKE set at 24
hours. I suspect that as long as the ‘client’ (Openswan end)
initiates the IKE renegotiation, everything works fine. If the Cisco
timer kicks off first however, it fails to renegotiate because of the multiple
policies defined on the Cisco. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>This is just a guess at this point, I am
going to do further testing to try to confirm. Both ends are currently
configured to renegotiate the IKE at 24 hours. I am going to set two test
units up against the Cisco – one with a 23-hour IKE lifetime, and one
with a 25-hour IKE lifetime and see what happens. I do not have control
of the Cisco end, but I am also working on getting the configuration cleaned up
there so that there is only one policy.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Thanks,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>John<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
users-bounces@openswan.org [mailto:users-bounces@openswan.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Snitgen, John<br>
<b><span style='font-weight:bold'>Sent:</span></b> Tuesday, October 28, 2008
2:58 PM<br>
<b><span style='font-weight:bold'>To:</span></b> users@openswan.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> [Openswan Users] NAT-T
inter-op problem with Cisco?</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hello List,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am seeing the following set of prints in my debug log (see
below) associated with a failure to renegotiate my VPN tunnel. This
happens on the third re-negotiation of the SA after the initial establishment
of the VPN tunnel. In other words, the tunnel is initiated and comes up
fine – in this example, the initial establishment of the tunnel occurred
at around 3:30 a.m.. The keylife=12h on the local side and is set to 6
hours on the remote end (remote end is a Cisco aggregator). So the
scenario is as follows: The tunnel comes up, it renegotiates at around 6
hours as it should, then again at 12 hours as it should (these renegotiations
are initiated by the Cisco), then at the 18 hour mark this happens;
xxx.xxx.xxx.xxx is the Cisco:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947] method set to=110
<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: ignoring unknown Vendor ID payload
[bunchoflettersandnumberslike235lks6dkn78glknsoijf]<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
meth=108, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]: "IPSECTUNNEL"
#5: responding to Main Mode<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]:
"IPSECTUNNEL" #5: policy mandates Extended Authentication (XAUTH)
with PSK of responder (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 Last line repeated 1
time(s).<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]:
"IPSECTUNNEL" #5: policy mandates Extended Authentication (XAUTH)
with RSA of responder (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]:
"IPSECTUNNEL" #5: no acceptable Oakley Transform<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:32 pluto[18772]:
"IPSECTUNNEL" #5: sending notification NO_PROPOSAL_CHOSEN to
xxx.xxx.xxx.xxx:500<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><i><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial;font-style:italic'>(then, it repeats)<o:p></o:p></span></font></i></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [RFC 3947] method set to=110
<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: ignoring unknown Vendor ID payload
[samebunchoflettersandnumbersasthefirsttime2]<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
meth=108, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]: packet
from xxx.xxx.xxx.xxx:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]:
"IPSECTUNNEL" #6: responding to Main Mode<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]:
"IPSECTUNNEL" #6: policy mandates Extended Authentication (XAUTH)
with PSK of responder (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 Last line repeated 1
time(s).<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]:
"IPSECTUNNEL" #6: policy mandates Extended Authentication (XAUTH)
with RSA of responder (we are responder). Attribute
OAKLEY_AUTHENTICATION_METHOD<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]:
"IPSECTUNNEL" #6: no acceptable Oakley Transform<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>Oct 21 21:04:42 pluto[18772]:
"IPSECTUNNEL" #6: sending notification NO_PROPOSAL_CHOSEN to
xxx.xxx.xxx.xxx:500<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am seeing this occur on multiple devices that are
connecting to this Cisco aggregator. NAT-T is enabled on the Cisco
aggregator (prime suspect of the problem, based on these debug prints), and on
the local device. I have tried disabling it on the local device since it
is not needed, but I need to have it enabled on the Cisco for other devices
that do need it.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any idea on why the initial connection is successful, along
with the renegotiations at the first two 6 hour intervals, and then it fails in
this manner? <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Openswan KLIPS IPsec stack version: 2.4.6., I can provide
more info if needed.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Thanks,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>John<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal style='text-autospace:none'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center>
</span></font></div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>This e-mail message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information of Transaction Network
Services. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender by
reply e-mail and destroy all copies of the original message.<o:p></o:p></span></font></p>
</div>
</div>
<DIV><P><HR>
This e-mail message is for the sole use of the intended recipient(s) and may contain confidential and privileged information of Transaction Network Services. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.<BR>
</P></DIV>
</body>
</html>