[Openswan dev] Openswan and Nortel Interop Problem (fwd)

Paul Wouters paul at xelerance.com
Wed Aug 23 19:10:56 EDT 2006


Perhaps someone on the developer lists has an insight in this issue?

Paul

---------- Forwarded message ----------
Date: Wed, 23 Aug 2006 17:29:25 -0400
From: Peter McGill <petermcgill at goco.net>
To: users at openswan.org
Subject: [Openswan Users] Openswan and Nortel Interop Problem

The connection randomly goes down at renewals for approx one renewal period.
The only way to fix the connection before the next renewal is to manually reset it.

The pattern is always the same.

For a good renewal:
Phase 1 ISAKMP Main Mode SA renews.
Phase 2 IPSec Quick Mode SA renews.

For a failed renewal:
Phase 2 IPSec Quick Mode SA renews.
Phase 1 ISAKMP Main Mode SA renews.
Old Phase 1 expires and connection is torn down.

I've had this problem for the last 9 months or so.
It has persisted through a number of versions of Openswan and the Nortel switches.
I've tried so many different configurations, that I'm almost certain that it must
be a software bug in one of the switches or an incompatibility between them.

I'm currently running the following, testing with 2 Openswans and 2 Nortels.
Openswan 2.4.6/Linux Kernel 2.4.26 and Linux Kernel 2.4.31/Slackware Linux 10.0+
Nortel (Contivity Extranet/VPN) Switch 600+ Revision V05_00.136

Openswan

ipsec.conf:
version 2.0

config setup
        interfaces=%defaultroute
        uniqueids=yes # setting this or not setting this has no effect

include /etc/ipsec.d/examples/no_oe.conf

conn openswan-test
        left=<openswan pub ip>
        leftnexthop=%defaultroute
        leftsubnet=<openswan priv subnet>
        right=<nortel pub ip>
        rightnexthop=%defaultroute
        rightsubnet=<nortel priv subnet>
        keyexchange=ike
        auth=esp
        ike=aes128-sha1-modp1536 # or 3des-md5-modp1024
        esp=aes128-sha1 # or 3des-md5
        aggrmode=no
        pfs=yes
        compress=yes # or no
        # I have tried many combinations of ikelifetime and keylife
        # more than I have listed below.
        # ikelifetime < keylife, ikelifetime = keylife, ikelifetime > keylife
        # This changes the frequency and duration of the problem
        # but the problem does not go away.
        # Nortel only has one setting for both of these Rekey Timeout
        # and the connection works best if all 3 are equal.
        ikelifetime=8.0h # or 1.0h
        keylife=8.0h # or 1.0h
        rekey=yes
        keyingtries=%forever
        rekeymargin=9m
        rekeyfuzz=100%
        dpddelay=30 # setting dpd or not setting dpd* has no effect
        dpdtimeout=120
        dpdaction=restart # or clear or hold
        authby=secret
        auto=start # or route

ipsec.secrets:
<openswan pub ip> <nortel pub ip>
        : PSK "<psk>"

Nortel

Profiles -> Branch Office -> Group (Openswan Test) -> Configure:

Connectivity -> Configure:
All Fields -> Configure:
Access Hours: Anytime
Idle Timeout: 00:00:00
Forced Logoff: 00:00:00
OK

IPSec -> Configure:
All Fields -> Configure:
Encryption:
    ESP - 128-bit AES with SHA1 Integrity: Check/Enabled
or ESP - Triple DES with MD5 Integrity: Check/Enabled
    All Others: Uncheck/Disabled
IKE Encryption and Diffie-Hellman Group: 128-bit AES with Group 5 (1536-bit prime)
                                                              or Triple DES with Group 2 (1024-bit prime)
Aggressive Mode ISAKMP Initial Contact Payload: Disabled
Perfect Forward Secrecy: Enabled
Compression: Enabled or Disabled
Rekey Timeout: 08:00:00 or 01:00:00
OK

Profiles -> Branch Office -> Group (Openswan Test) -> Connections (Openswan Test) -> Configure:
Connection:
    Tunnel Type: IPSec
    Connection Type: Peer to Peer
    Enable: Check/Enabled
Endpoints:
    Local Ip Address: <nortel pub ip>
    Remote Ip Address: <openswan pub ip>
Authentication: Text Pre-Shared Key
    Text Pre-Shared Key: <psk>
    Confirm: <psk>
IP Configuration: Static
    Local Networks: <nortel priv subnet>
    Remote Networks: <openswan priv subnet>
OK

A Good Renewal

Openswan Log:
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: initiating Main Mode to replace #6404
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: ignoring unknown Vendor ID payload [424e455300000009]
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: received Vendor ID payload [Dead Peer Detection]
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: I did not send a certificate because I do not have one.
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: Main mode peer ID is ID_IPV4_ADDR: '<nortel pub ip>'
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1536}
Aug 19 04:56:27 franklin pluto[11388]: "openswan-test" #6910: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace
#6406 {using isakmp#6905}
Aug 19 04:56:28 franklin pluto[11388]: "openswan-test" #6910: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 19 04:56:28 franklin pluto[11388]: "openswan-test" #6910: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe601aeb5
<0xb7393a19 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
Aug 19 05:07:16 franklin pluto[11388]: packet from <nortel pub ip>:500: Informational Exchange is for an unknown (expired?) SA
Aug 19 05:07:16 franklin pluto[11388]: packet from <nortel pub ip>:500: Informational Exchange is for an unknown (expired?) SA

Nortel System Log (The time is off, but it matches the above renewal):
 03:43:09 tEvtLgMgr 0 : Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local
<nortel pub ip>
 03:43:09 tEvtLgMgr 0 : Security [12] Session: IPSEC[-]:236 physical addresses: remote <openswan pub ip> local <nortel pub ip>
 03:53:57 tEvtLgMgr 0 : Security [12] Session 6c83390:  IPSEC[-]:213 sib 0 logged out
 03:53:57 tEvtLgMgr 0 : Security [12] Session 6c829b8:  IPSEC[<openswan pub ip>]:212 sib 0 logged out

Nortel Event Log:
08/19/2006 03:39:19 0 Security [11] Session: IPSEC[<openswan pub ip>] attempting login
08/19/2006 03:39:19 0 Security [00] Session: IPSEC - found matching gateway session, caching parameters from gateway session
08/19/2006 03:39:20 0 ISAKMP [02] Oakley Main Mode proposal accepted from <openswan pub ip>
08/19/2006 03:39:20 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 SHARED-SECRET authenticate attempt...
08/19/2006 03:39:20 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 attempting authentication using LOCAL
08/19/2006 03:39:21 0 Security [11] Session: IPSEC[<openswan pub ip>]:234 authenticated using LOCAL
08/19/2006 03:39:21 0 Security [11] Session: IPSEC[<openswan pub ip>]:234 bound to group /Base/Openswan Test/Openswan Test
08/19/2006 03:39:21 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 Building group filter permit all
08/19/2006 03:39:21 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 Applying group filter permit all
08/19/2006 03:39:21 0 Security [11] Session: IPSEC[<openswan pub ip>]:234 authorized
08/19/2006 03:39:21 0 ISAKMP [02] ISAKMP SA established with <openswan pub ip>
08/19/2006 03:43:09 0 Security [11] Session: network IPSEC[<openswan subnet>] attempting login
08/19/2006 03:43:09 0 Security [11] Session: network IPSEC[<openswan subnet>] logged in from gateway [<openswan pub ip>]
08/19/2006 03:43:09 0 Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local <nortel
pub ip>
08/19/2006 03:43:09 0 Security [12] Session: IPSEC[-]:236 physical addresses: remote <openswan pub ip> local <nortel pub ip>
08/19/2006 03:43:10 0 Outbound ESP from <nortel pub ip> to <openswan pub ip> SPI 0xb7393a19 [03] ESP encap session SPI 0x193a39b7
bound to s/w on cpu 0
08/19/2006 03:43:10 0 Inbound ESP from <openswan pub ip> to <nortel pub ip> SPI 0xe601aeb5 [03] ESP decap session SPI 0xb5ae01e6
bound to s/w on cpu 0
08/19/2006 03:43:10 0 Branch Office [00] 513a440 BranchOfficeCtxtCls::RegisterTunnel: rem[<openswan subnet>]@[<openswan pub ip>]
loc[<nortel subnet>] overwriting tunnel context [5ac2d68] with [5ac2f50]
08/19/2006 03:43:10 0 ISAKMP [03] Established IPsec SAs with <openswan pub ip>:
08/19/2006 03:43:10 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393a19
08/19/2006 03:43:10 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0xe601aeb5

A Failed Renewal

Openswan Log:
Aug 19 12:39:22 franklin pluto[11388]: "openswan-test" #7385: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace
#6910 {using isakmp#6905}
Aug 19 12:39:23 franklin pluto[11388]: "openswan-test" #7385: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 19 12:39:23 franklin pluto[11388]: "openswan-test" #7385: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3e0804e2
<0xb7393bb3 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: initiating Main Mode to replace #6905
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: ignoring unknown Vendor ID payload [424e455300000009]
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: received Vendor ID payload [Dead Peer Detection]
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: I did not send a certificate because I do not have one.
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: Main mode peer ID is ID_IPV4_ADDR: '<nortel pub ip>'
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1536}
Aug 19 12:52:39 franklin pluto[11388]: packet from <nortel pub ip>:500: Informational Exchange is for an unknown (expired?) SA
Aug 19 12:56:41 franklin pluto[11388]: "openswan-test" #7387: received Delete SA payload: deleting ISAKMP State #7387
Aug 19 12:56:41 franklin pluto[11388]: packet from <nortel pub ip>:500: received and ignored informational message
# If dpd is enabled then we also see this
Aug 19 12:57:02 franklin pluto[11388]: "openswan-test" #7385: DPD: Serious: could not find newest phase 1 state

Nortel System Log:
11:26:01 tEvtLgMgr 0 : Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local
<nortel pub ip>
11:26:01 tEvtLgMgr 0 : Security [12] Session: IPSEC[-]:257 physical addresses: remote <openswan pub ip> local <nortel pub ip>
11:39:17 tEvtLgMgr 0 : Security [12] Session 6c83390:  IPSEC[-]:257 sib 0 logged out
11:39:17 tEvtLgMgr 0 : Security [12] Session 6c81fe0:  IPSEC[-]:236 sib 0 logged out
11:39:17 tEvtLgMgr 0 : Security [12] Session 6c82328:  IPSEC[<openswan pub ip>]:234 sib 0 logged out
*11:43:19 tEvtLgMgr 0 : ISAKMP [13] <openswan pub ip> has exceeded idle timeout - logging out
11:43:19 tEvtLgMgr 0 : Security [12] Session 6c81608:  IPSEC[<openswan pub ip>]:258 sib 0 logged out

Nortel Event Log:
08/19/2006 11:26:01 0 Security [11] Session: network IPSEC[<openswan subnet>] attempting login
08/19/2006 11:26:01 0 Security [11] Session: network IPSEC[<openswan subnet>] logged in from gateway [<openswan pub ip>]
08/19/2006 11:26:01 0 Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local <nortel
pub ip>
08/19/2006 11:26:01 0 Security [12] Session: IPSEC[-]:257 physical addresses: remote <openswan pub ip> local <nortel pub ip>
08/19/2006 11:26:02 0 Outbound ESP from <nortel pub ip> to <openswan pub ip> SPI 0xb7393bb3 [03] ESP encap session SPI 0xb33b39b7
bound to s/w on cpu 0
08/19/2006 11:26:02 0 Inbound ESP from <openswan pub ip> to <nortel pub ip> SPI 0x3e0804e2 [03] ESP decap session SPI 0xe204083e
bound to s/w on cpu 0
08/19/2006 11:26:02 0 Branch Office [00] 513a440 BranchOfficeCtxtCls::RegisterTunnel: rem[<openswan subnet>]@[<openswan pub ip>]
loc[<nortel subnet>] overwriting tunnel context [5ac2f50] with [5ac2d68]
08/19/2006 11:26:02 0 ISAKMP [03] Established IPsec SAs with <openswan pub ip>:
08/19/2006 11:26:02 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393bb3
08/19/2006 11:26:02 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0x3e0804e2
08/19/2006 11:27:44 0 Security [11] Session: IPSEC[<openswan pub ip>] attempting login
08/19/2006 11:27:44 0 Security [00] Session: IPSEC - found matching gateway session, caching parameters from gateway session
08/19/2006 11:27:45 0 ISAKMP [02] Oakley Main Mode proposal accepted from <openswan pub ip>
08/19/2006 11:27:45 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 SHARED-SECRET authenticate attempt...
08/19/2006 11:27:45 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 attempting authentication using LOCAL
08/19/2006 11:27:45 0 Security [11] Session: IPSEC[<openswan pub ip>]:258 authenticated using LOCAL
08/19/2006 11:27:45 0 Security [11] Session: IPSEC[<openswan pub ip>]:258 bound to group /Base/Openswan Test/Openswan Test
08/19/2006 11:27:45 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 Building group filter permit all
08/19/2006 11:27:46 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 Applying group filter permit all
08/19/2006 11:27:46 0 Security [11] Session: IPSEC[<openswan pub ip>]:258 authorized
08/19/2006 11:27:46 0 ISAKMP [02] ISAKMP SA established with <openswan pub ip>
08/19/2006 11:39:17 0 ISAKMP [01] Delete message for ISAKMP SA received from <openswan pub ip>
08/19/2006 11:39:17 0 ISAKMP [03] Deleting IPsec SAs with <openswan pub ip>:
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393bb3
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0x3e0804e2
08/19/2006 11:39:17 0 IPvfy.05ac2d68{Tun} [00] destructor called 0x5ac2d68
08/19/2006 11:39:17 0 Security [12] Session 6c83390: IPSEC[-]:257 sib 0 logged out
08/19/2006 11:39:17 0 ISAKMP [03] ReRegistering tunnel 5ac2f50 fd0315ac ffffffff 715ac ffffff 193a39b7 0
08/19/2006 11:39:17 0 Branch Office [00] 513a440 BranchOfficeCtxtCls::RegisterTunnel: rem[<openswan subnet>]@[<openswan pub ip>]
loc[<nortel subnet>] overwriting tunnel context [0] with [5ac2f50]
08/19/2006 11:39:17 0 ISAKMP [03] Deleting IPsec SAs with <openswan pub ip>:
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393a19
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0xe601aeb5
08/19/2006 11:39:17 0 IPvfy.05ac2f50{Tun} [00] destructor called 0x5ac2f50
08/19/2006 11:39:17 0 Security [12] Session 6c81fe0: IPSEC[-]:236 sib 0 logged out
08/19/2006 11:39:17 0 Security [12] Session 6c82328: IPSEC[<openswan pub ip>]:234 sib 0 logged out
08/19/2006 11:39:17 0 ISAKMP [02] Deleting ISAKMP SA with <openswan pub ip>
08/19/2006 11:43:06 0 ISAKMP [03] Delete message for IPsec SA received from <openswan pub ip>
08/19/2006 11:43:19 0 ISAKMP [13] <openswan pub ip> has exceeded idle timeout - logging out
08/19/2006 11:43:19 0 Security [12] Session 6c81608: IPSEC[<openswan pub ip>]:258 sib 0 logged out
08/19/2006 11:43:19 0 ISAKMP [02] Deleting ISAKMP SA with <openswan pub ip>


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Dev mailing list