<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>Ipsec auto --up still hangs sometimes</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">It seemed best to open a new thread for this issue. I couldn't help myself - I had to reproduce the hang problem I ran across a few minutes ago. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Here's the situation. Janesville has 2 LANs, one named JanesvilleCheetah that normally has an IPSEC Openswan tunnel, the other named JanesvillePNT that normally routes differently. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">These tunnels all connect to the HQ site. JanesvilleCheetah stays up all the time, JanesvillePNT is supposed to come up and down as needed. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">The HQ Openswan firewall is now running this version:</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]# ipsec version</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Linux Openswan U2.6.14/K2.6.25-14.fc9.i686 (netkey)</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">See `ipsec --copyright' for copyright information.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]#</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Here is the condition to reproduce the problem:</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">In Janesville, the JanesvilleCheetah tunnel is up and running.</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">The JanesvillePNT tunnel is specifically ***not*** loaded. </FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">From the HQ Openswan firewall, when I do ipsec auto --add and then ipsec auto --up -- but without doing anything in Janesville, then the whack at HQ still hangs. It should eventually return with an error, but it doesn't. It hangs. </FONT></SPAN></P>
<BR>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]# ipsec auto --down JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]# ipsec auto --delete JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">000 "JanesvillePNT-Everywhere": request to delete a unrouted policy with netkey kernel --- experimental</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">000 initiating all conns with alias='JanesvillePNT-Everywhere'</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">021 no connection named "JanesvillePNT-Everywhere"</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]# ipsec auto --add JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">104 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I1: initiate</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #22: ignoring unknown Vendor ID payload [4f455f5d7b764b67436f4f49]</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #22: received Vendor ID payload [Dead Peer Detection]</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #22: received Vendor ID payload [RFC 3947] method set to=109</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">106 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I2: sent MI2, expecting MR2</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #22: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">108 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I3: sent MI3, expecting MR3</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #22: we require peer to have ID '@janesvillepnt.local', but peer declares '@janesvillecheetah.local'</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">218 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I3: INVALID_ID_INFORMATION</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">-----> (Long pause here until I pressed CTRL/C) <-------</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">^C[root@lme-fw2 ipsec.d]# ipsec auto --delete JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw2 ipsec.d]#</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">- Greg</FONT></SPAN>
</P>
</BODY>
</HTML>