<html><body><div style="color:#000; background-color:#fff; font-family:times new roman, new york, times, serif;font-size:12pt"><div style="RIGHT: auto"><SPAN style="RIGHT: auto"></SPAN></div>
<div style="RIGHT: auto">> > Q: If the powercycled unit comes back on, and rec<VAR id=yui-ie-cursor></VAR>onnects to the other unit,<BR>> the IPsec SA should be re-established<BR>> > and the older SA on the unit that did not get power cycled should get<BR>> replaced. Are you not seeing that<BR>> > happening?<BR>> > <BR>> > R: I am not sure. If I select appropriate lines from syslog listing from Dev1<BR>> then I can see this:<BR>> > ****************************************<BR>State of Dev1: running<BR>State of Dev2: power off<BR>Let us start Dev2<BR>> > Action: Dev2 - power on<BR>Now let us see the reaction of IPsec system on Dev1<BR>> > ****************************************<BR>> > 2011-07-18 11:43:10 pluto[431]: "ipsec1" #9: STATE_QUICK_R2: IPsec SA<BR>> established tunnel mode {ESP=0x0b056df3 0x17354389<BR>> > xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=enabled}<BR>> > ****************************************<BR>State of Dev1: running, IPsec tunnel reestablihed - OK<BR>State of Dev2: running<BR>Let us reboot Dev2<BR>> > Action: Dev2 - reboot<BR>Now let us see the reaction of IPsec system on Dev1<BR>> > ****************************************<BR>> > 2011-07-18 11:47:59 pluto[431]: "ipsec1" #12: STATE_QUICK_R2: IPsec SA<BR>> established tunnel mode {ESP=0xf05a1802<BR>> > 0x32e9fe4f xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}<BR>> > ****************************************<BR>State of Dev1: running, IPsec tunnel reestablihed - OK<BR>State of Dev2: running<BR>Let us reboot Dev2<BR>> > Action: Dev2 - another reboot<BR>Now let us see the reaction of IPsec system on Dev1<BR>> > ****************************************<BR>> > 2011-07-18 11:59:07 pluto[431]: "ipsec1" #17: STATE_QUICK_R1: sent QR1,<BR>> inbound IPsec SA
installed, expecting QI2<BR>> > 2011-07-18 11:59:07 pluto[431]: "ipsec1" #17: ERROR: netlink response for Add<BR>> SA esp.b056df3@10.0.3.114 included errno<BR>> > 17: File exists<BR>****************************************<BR>State of Dev1: running, IPsec error<BR>State of Dev2: running<BR>><BR>> My answer would be "that kernel did not actually reboot". SPIs are not serially<BR>> numbered, so rebooting<BR>> a device should give totally different SPI numbers. Try using "ip xfrm pol" and<BR>> "ip xfrm state" before<BR>> starting openswan. It should be totally empty. If not, there is some weird<BR>> kernel state saving happening<BR>> somewhere when you think the unit is rebooting.<BR>><BR>I see that I explained things badly. Let me clarify some details.<BR><BR>1) Situation:<BR>192.168.2.0/24==Dev1==10.0.2.125 <-> GSM network <-> 10.0.3.114==Dev2==192.168.3.0/24<BR><BR>2) Dev1 is never restarted in
any way. No power cycle (voltage off/on). No reboot (typing "reboot" on command line).<BR><BR>3) Dev2 is power cycled only once and then rebooted twice.<BR><BR>4) I have added some comment lines to the syslog listing above to make it more descriptive.<BR><BR>> > Do you think I should use one of --debug-* options? Would it help to solve the<BR>> problem?<BR>><BR>> I doubt it. NETKEY has no debugging facilities. This is already the most you can<BR>> get the kernel to tell you.<BR>><BR>I tried --debug-dpd starting whack a few days ago and it gave some additional lines in syslog listing but nothing useful<BR>for me.<BR><BR>L. Felgr<BR><BR>> Paul<BR>><BR>><BR><BR><BR></div></div></body></html>