<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=iso-8859-1>
<META content="MSHTML 6.00.6001.18294" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px" leftMargin=0
topMargin=0 CanvasTabStop="true" name="Compose message area">
<DIV><FONT face=Arial size=2>Better question,</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>It appears that the SA life is dying.... could that
be my problem?</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Clients in both subnets can ping the remote VPN
gateway... however they cannot ping each other across the tunnel.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>JT</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Arial size=2>JT Edwards<BR>Senior Solutions Architect
(Automation and Service Management)<BR>IBM Tivoli Certified<BR>Direct:
281-226-0284<BR>Direct: 512-772-3266<BR>Follow Me: 1866-866-4391 ext 1<BR>AIM
tstrike34<BR>GoogleTalk <A
href="mailto:tstrike34@gmail.com">tstrike34@gmail.com</A></FONT></DIV>
<DIV style="FONT: 10pt Tahoma">
<DIV><BR></DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A title=tstrike34@gmail.com
href="mailto:tstrike34@gmail.com">JT Edwards</A> </DIV>
<DIV><B>Sent:</B> Thursday, September 24, 2009 3:52 PM</DIV>
<DIV><B>To:</B> <A title=users@openswan.org
href="mailto:users@openswan.org">users@openswan.org</A> </DIV>
<DIV><B>Subject:</B> Subnets Connect, then they drop (but the Tunnel
Remains)</DIV></DIV></DIV>
<DIV><BR></DIV>
<DIV><FONT face=Arial size=2>Paul and et all:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I have achieved IPSec SA established tunnel mode,
yet it appears that subnet to subnet connectivity is dropped for some reason.
Here are the securelog and the ipsec auto --status logs.... The tunnel
connection remains, but it like it is fractured for some reason:</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Sep 24 14:39:33 whiskers pluto[7855]: added
connection description "ait-2-torden-xen"<BR>Sep 24 14:39:33 whiskers
pluto[7855]: listening for IKE messages<BR>Sep 24 14:39:33 whiskers pluto[7855]:
NAT-Traversal: Trying new style NAT-T<BR>Sep 24 14:39:34 whiskers pluto[7855]:
NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4
(errno=19)<BR>Sep 24 14:39:34 whiskers pluto[7855]: NAT-Traversal: Trying old
style NAT-T<BR>Sep 24 14:39:34 whiskers pluto[7855]: adding interface
vnet0/vnet0 192.168.137.1:500<BR>Sep 24 14:39:34 whiskers pluto[7855]: adding
interface vnet0/vnet0 192.168.137.1:4500<BR>Sep 24 14:39:34 whiskers
pluto[7855]: adding interface eth0/eth0 22.123.34.56:500<BR>Sep 24 14:39:34
whiskers pluto[7855]: adding interface eth0/eth0 22.123.34.56:4500<BR>Sep 24
14:39:34 whiskers pluto[7855]: adding interface as0t0/as0t0 10.8.0.1:500<BR>Sep
24 14:39:34 whiskers pluto[7855]: adding interface as0t0/as0t0
10.8.0.1:4500<BR>Sep 24 14:39:34 whiskers pluto[7855]: adding interface
virbr0/virbr0 192.168.122.1:500<BR>Sep 24 14:39:34 whiskers pluto[7855]: adding
interface virbr0/virbr0 192.168.122.1:4500<BR>Sep 24 14:39:34 whiskers
pluto[7855]: adding interface tun0/tun0 172.16.0.1:500<BR>Sep 24 14:39:34
whiskers pluto[7855]: adding interface tun0/tun0 172.16.0.1:4500<BR>Sep 24
14:39:34 whiskers pluto[7855]: adding interface lo/lo 127.0.0.1:500<BR>Sep 24
14:39:34 whiskers pluto[7855]: adding interface lo/lo 127.0.0.1:4500<BR>Sep 24
14:39:34 whiskers pluto[7855]: adding interface lo/lo ::1:500<BR>Sep 24 14:39:34
whiskers pluto[7855]: loading secrets from "/etc/ipsec.secrets"<BR>Sep 24
14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: initiating Main
Mode<BR>Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring
unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]<BR>Sep 24 14:39:34
whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring Vendor ID payload
[KAME/racoon]<BR>Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<BR>Sep 24 14:39:34
whiskers pluto[7855]: "ait-2-torden-xen" #1: STATE_MAIN_I2: sent MI2, expecting
MR2<BR>Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring
Vendor ID payload [KAME/racoon]<BR>Sep 24 14:39:34 whiskers pluto[7855]:
"ait-2-torden-xen" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3<BR>Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1:
STATE_MAIN_I3: sent MI3, expecting MR3<BR>Sep 24 14:39:34 whiskers pluto[7855]:
"ait-2-torden-xen" #1: Main mode peer ID is ID_IPV4_ADDR: '12.234.22.224'<BR>Sep
24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4<BR>Sep 24 14:39:34 whiskers pluto[7855]:
"ait-2-torden-xen" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}<BR>Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #2:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1
msgid:7bf7d234 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}<BR>Sep 24
14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring informational
payload, type IPSEC_INITIAL_CONTACT msgid=00000000<BR>Sep 24 14:39:34 whiskers
pluto[7855]: "ait-2-torden-xen" #1: received and ignored informational
message<BR>Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #2:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<BR>Sep 24 14:39:35
whiskers pluto[7855]: "ait-2-torden-xen" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x0f5a7819 <0x4aa14507 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}<BR>Sep 24 14:39:35 whiskers pluto[7855]:
"ait-2-torden-xen" #1: the peer proposed: 192.168.122.0/24:0/0 ->
192.168.136.0/24:0/0<BR>Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen"
#3: responding to Quick Mode proposal {msgid:767b2eeb}<BR>Sep 24 14:39:35
whiskers pluto[7855]: "ait-2-torden-xen" #3: us:
192.168.122.0/24===22.123.34.56<22.123.34.56>[+S=C]<BR>Sep 24 14:39:35
whiskers pluto[7855]: "ait-2-torden-xen" #3: them:
22.123.34.1---12.234.22.224<12.234.22.224>[+S=C]===192.168.136.0/24<BR>Sep
24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: keeping
refhim=4294901761 during rekey<BR>Sep 24 14:39:35 whiskers pluto[7855]:
"ait-2-torden-xen" #3: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1<BR>Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2<BR>Sep 24
14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2<BR>Sep 24 14:39:35 whiskers pluto[7855]:
"ait-2-torden-xen" #3: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x09076072 <0x874d4c6a xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none
DPD=none}<BR>Sep 24 14:40:10 whiskers pluto[7855]: "ait-2-torden-xen" #1:
received Delete SA(0x0f5a7819) payload: deleting IPSEC State #2<BR>Sep 24
14:40:10 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x4aa14507) not found (maybe expired)<BR>Sep 24
14:40:10 whiskers pluto[7855]: "ait-2-torden-xen" #1: received and ignored
informational message</FONT></DIV>
<DIV> </DIV><FONT face=Arial size=2>
<DIV><BR>I just do not understand what is happening... Is it something
deeper?</DIV>
<DIV> </DIV>
<DIV>000 using kernel interface: netkey<BR>000 interface lo/lo ::1<BR>000
interface lo/lo 127.0.0.1<BR>000 interface lo/lo 127.0.0.1<BR>000 interface
tun0/tun0 172.16.0.1<BR>000 interface tun0/tun0 172.16.0.1<BR>000 interface
virbr0/virbr0 192.168.122.1<BR>000 interface virbr0/virbr0 192.168.122.1<BR>000
interface as0t0/as0t0 10.8.0.1<BR>000 interface as0t0/as0t0 10.8.0.1<BR>000
interface eth0/eth0 22.123.34.56<BR>000 interface eth0/eth0 22.123.34.56<BR>000
interface vnet0/vnet0 192.168.137.1<BR>000 interface vnet0/vnet0
192.168.137.1<BR>000 %myid = (none)<BR>000 debug none<BR>000 <BR>000
virtual_private (%priv):<BR>000 - allowed 0 subnets: <BR>000 - disallowed 0
subnets: <BR>000 WARNING: Either virtual_private= was not specified, or there
was a syntax <BR>000 error
in that line. 'left/rightsubnet=%priv' will not work!<BR>000 <BR>000
algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64<BR>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192<BR>000 algorithm ESP encrypt: id=6,
name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128<BR>000 algorithm ESP
encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448<BR>000
algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0<BR>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256<BR>000 algorithm ESP encrypt: id=13,
name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256<BR>000 algorithm ESP
encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128,
keysizemax=256<BR>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256<BR>000 algorithm ESP encrypt: id=16,
name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256<BR>000 algorithm ESP
encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128,
keysizemax=256<BR>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256<BR>000 algorithm ESP encrypt: id=20,
name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256<BR>000 algorithm ESP
encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128,
keysizemax=256<BR>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256<BR>000 algorithm ESP auth attr: id=1,
name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<BR>000 algorithm
ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160,
keysizemax=160<BR>000 algorithm ESP auth attr: id=5,
name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256<BR>000
algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160,
keysizemax=160<BR>000 algorithm ESP auth attr: id=9,
name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128<BR>000 algorithm ESP
auth attr: id=251, name=(null), keysizemin=0, keysizemax=0<BR>000 <BR>000
algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131<BR>000
algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128<BR>000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
blocksize=8, keydeflen=192<BR>000 algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<BR>000 algorithm IKE encrypt:
id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<BR>000 algorithm
IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128<BR>000 algorithm IKE encrypt: id=65289,
name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<BR>000 algorithm IKE
hash: id=1, name=OAKLEY_MD5, hashsize=16<BR>000 algorithm IKE hash: id=2,
name=OAKLEY_SHA1, hashsize=20<BR>000 algorithm IKE hash: id=4,
name=OAKLEY_SHA2_256, hashsize=32<BR>000 algorithm IKE hash: id=6,
name=OAKLEY_SHA2_512, hashsize=64<BR>000 algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024<BR>000 algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536<BR>000 algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048<BR>000 algorithm IKE dh group: id=15,
name=OAKLEY_GROUP_MODP3072, bits=3072<BR>000 algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096<BR>000 algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144<BR>000 algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192<BR>000 <BR>000 stats db_ops:
{curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
<BR>000 <BR>000 "ait-2-torden-xen":
192.168.122.0/24===22.123.34.56<22.123.34.56>[+S=C]...22.123.34.1---12.234.22.224<12.234.22.224>[+S=C]===192.168.136.0/24;
erouted; eroute owner: #3<BR>000 "ait-2-torden-xen":
myip=unset; hisip=unset;<BR>000 "ait-2-torden-xen": ike_life: 3600s;
ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0<BR>000
"ait-2-torden-xen": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth0;
<BR>000 "ait-2-torden-xen": newest ISAKMP SA: #1; newest IPsec SA:
#3; <BR>000 "ait-2-torden-xen": IKE algorithm newest:
3DES_CBC_192-SHA1-MODP1024<BR>000 <BR>000 #3: "ait-2-torden-xen":500
STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28384s; newest IPSEC;
eroute owner; isakmp#1; idle; import:admin initiate<BR>000 #3:
"ait-2-torden-xen" <A
href="mailto:esp.9076072@12.234.22.224">esp.9076072@12.234.22.224</A> <A
href="mailto:esp.874d4c6a@22.123.34.56">esp.874d4c6a@22.123.34.56</A> <A
href="mailto:tun.0@12.234.22.224">tun.0@12.234.22.224</A> <A
href="mailto:tun.0@22.123.34.56">tun.0@22.123.34.56</A> ref=0
refhim=4294901761<BR>000 #1: "ait-2-torden-xen":500 STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 2825s; newest ISAKMP; nodpd; idle;
import:admin initiate<BR>000 </DIV>
<DIV> </DIV>
<DIV><BR></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>JT Edwards<BR>Senior Solutions Architect
(Automation and Service Management)<BR>IBM Tivoli Certified<BR>Direct:
281-226-0284<BR>Direct: 512-772-3266<BR>Follow Me: 1866-866-4391 ext 1<BR>AIM
tstrike34<BR>GoogleTalk <A
href="mailto:tstrike34@gmail.com">tstrike34@gmail.com</A></FONT></DIV></BODY></HTML>