HI,All:<div><br></div><div>I configured a net2net ipsec tunnel with openswan 2.6.31 on both side.here's two connection topology:</div><div><br></div><div>1. Connection topology</div><div>connection 1: Server A-->GWA-----INTERNET------------Server B.</div>
<div>connection 2: Server C-->GWB-----INTERNET------------GWA-->ServerA</div><div><br></div><div>2. Connection 1 config file on Server A:</div><div><br></div><div><div>conn STEST2</div><div> type = tunnel</div>
<div> auto = start</div><div> keyexchange = ike</div><div> authby = secret</div><div> auth = esp</div><div> esp = 3DES-MD5</div><div> ike = 3DES-MD5-MODP1024</div><div> aggrmode = yes</div>
<div> pfs = yes</div><div> left = %defaultroute</div><div> right = #SERVER B IP#</div><div> leftid = @y</div><div> rightid = @x</div><div> dpddelay = 30</div><div> dpdtimeout = 120</div>
<div> dpdaction = restart_by_peer</div><div> leftsubnets = {x.x.x.x/x.x.x.x}</div><div> rightsubnets = {
x.x.x.x/x.x.x.x }</div><div>#</div></div><div><br></div><div><br></div><div>3. Connection 1 config file on Server B:</div><div><br></div><div><div>conn STEST2</div><div> type = tunnel</div><div> auto = add</div>
<div> keyexchange = ike</div><div> authby = secret</div><div> auth = esp</div><div> esp = 3DES-MD5</div><div> ike = 3DES-MD5-MODP1024</div><div> aggrmode = yes</div><div> pfs = yes</div>
<div> left = %defaultroute</div><div> right = 0.0.0.0</div><div> leftid = @x</div><div> rightid = @y</div><div> dpddelay = 30</div><div> dpdtimeout = 120</div><div> dpdaction = hold</div>
<div> leftsubnets = {
{x.x.x.x/x.x.x.x }</div><div> rightsubnets = {
{x.x.x.x/x.x.x.x }</div></div><div><br></div><div><br></div><div>Because Server C have to connect to Server A,so I have natted port 500 and 4500 to Server A on GWA.</div><div><br></div><div>In the begging,everything is fine,IPSEC SA Established,ping success from each side to other side,but after a day or two,connection 1 is down.</div>
<div><br></div><div>4. I checked the tunnel status on Server A and Server B.</div><div> Server A shows ipsec phase2</div><div> Server B show ipsec phase1.</div><div><div><br></div><div>5. log file on both side</div>
<div><br></div><div> on Server A:</div><div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "STEST1/1x1" #9561: initiating Aggressive Mode #9561, connection "changxingdao/1x1"</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: received Vendor ID payload [Dead Peer Detection]</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: received Vendor ID payload [RFC 3947] method set to=109 </div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: Aggressive mode peer ID is ID_FQDN: '@c'</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: Dead Peer Detection (RFC 3706): enabled</div><div>Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9562: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW {using isakmp#9561 msgid:d74d6729 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>Jan 12 08:10:12 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: retransmitting in response to duplicate packet; already STATE_AGGR_I2</div><div>Jan 12 08:10:32 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: retransmitting in response to duplicate packet; already STATE_AGGR_I2</div><div>Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9562: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal</div><div>Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9562: starting keying attempt 2 of an unlimited number</div><div>Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9563: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #9562 {using isakmp#9561 msgid:8ae153af proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9563: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal</div><div>Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9563: starting keying attempt 3 of an unlimited number</div><div>Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9564: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to replace #9563 {using isakmp#9561 msgid:0d7aa774 proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}</div><div>
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: DPD: No response from peer - declaring peer dead</div><div>Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: DPD: Restarting all connections that share this peer</div><div>Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: terminating SAs using this connection</div><div>Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9564: deleting state (STATE_QUICK_I1)</div><div>Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: "
STEST1 /1x1" #9561: deleting state (STATE_AGGR_I2)</div></div><div><br></div><div> on Server B:</div><div><br></div><div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [Dead Peer Detection]</div>
<div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [RFC 3947] method set to=109 </div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109</div>
<div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109</div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109</div>
<div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "STEST1/1x1"[191] X #273: Aggressive mode peer ID is ID_FQDN: '@a'</div>
<div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "
STEST1 /1x1"[191] X #273: responding to Aggressive Mode, state #273, connection "STEST/1x1" from 114.87.175.117</div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "
STEST1 /1x1"[191] X #273: enabling possible NAT-traversal with method 4</div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "
STEST1 /1x1"[191] X #273: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1</div><div>Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "
STEST1 /1x1"[191] X #273: STATE_AGGR_R1: sent AR1, expecting AI2</div><div>Jan 12 09:08:53 (none) authpriv.warn pluto[1200]: "
STEST1 /1x1"[191] X #272: max number of retransmissions (2) reached STATE_AGGR_R1</div><div>Jan 12 09:09:31 (none) authpriv.warn pluto[1200]: "
STEST1 /1x1"[191] X #273: max number of retransmissions (2) reached STATE_AGGR_R1</div></div><div><br></div><div><br></div><div><br></div><div>I tried restart ipsec on both side,even reboot the machine,nothing changed,it seems that udp 4500 between Server A and Server B is down,so i did tcpdump on Server A and Server B.</div>
<div><br></div><div>6. tcpdump on both side</div><div><br></div><div> tcpdump on Server A shows udp port 500 between A and B,and we can see udp 4500 packet send from Server A to Server B,but no reply!</div><div> On Server B,it only shows udp port 500 packet,no udp port 4500 at all.</div>
<div><br></div><div>7. Accidentally,i disabled ipsec on Server A for a few minutes,may be 5 minutes,and restart ipsec ,IPSEC SA establlished!</div><div><br></div><div><br></div><div>I think this issue is linux ip_conntrack module related,may be something bad happend in GWA with connection 1,after I stopped ipsec on Server A for 5 minutes,udp connection expires on GWA,</div>
<div>when i restart ipsec on Server A after 5 minutes ,new udp connections of port 500 and port 4500 can be established.</div><div><br></div><div>But i can't do anything on GWA,is this an openswan issue or linux ip_conntrack issue? Do we have some params to deal with this situation?</div>
<div><br></div><div>need your help!</div><div><br></div><div>Thanks in advance</div><div><br></div>
<div>--ZPL</div></div>