[Openswan dev] bug report (auto=add &auto=start)

Alex linux at vfemail.net
Mon Jun 18 18:12:31 EDT 2007


Hi Paul,

> So for some reason the ipsec auto --up connname is failling, even though it
> seems to be triggered enough to work later on.

Many thanks for your reply... Can be fixed in the future openswan releases?

I loosed 2 days reading output from ipsec barf due to this stupid message ... 
trying to find an ERROR in my config ... which does not exist ...!!! This is 
just an WARNING, not an error ... and is not documented anywhere and the 
output from my syslog, looks like ipsec has "encountered and error and give 
up suddenly"! I saw a lot of posts on the web complaining about this "error" 
and NO FIX/REPLY or EXPLANATION!

> Did you set plutowait to 
> yes, or did you not specifiy it so it is using the default of no?
>

not specified, so it is default!

> Can you try issuing this on one end:
>

yes, see below:

> ipsec auto --replace connname
> ipsec auto --up --asynchronous connname
> echo $?
>
on the left router:

[root at dev13 ~]# /etc/rc.d/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec 2.4.8...
[root at dev13 ~]# ./eroute.pl
 in 10.0.100.0/24      -> 192.168.13.0/24    => tun0x176 at MY_RIGHT_IP
out 10.0.100.0/24      -> 192.168.13.0/24    => tun0x169 at MY_RIGHT_IP
fwd 10.0.100.0/24      -> 192.168.13.0/24    => tun0x186 at MY_RIGHT_IP

In /var/log/messages appear:
Jun 19 00:21:43 dev13 kernel: NET: Registered protocol family 15
Jun 19 00:21:43 dev13 ipsec_setup: NETKEY on eth0 MY_LEFT_IP/255.255.255.0 
broadcast x.y.z.255
Jun 19 00:21:43 dev13 ipsec_setup: ...Openswan IPsec started
Jun 19 00:21:43 dev13 ipsec_setup: Starting Openswan IPsec 2.4.8...
Jun 19 00:21:45 dev13 ipsec__plutorun: 104 "z1" #1: STATE_MAIN_I1: initiate
Jun 19 00:21:45 dev13 ipsec__plutorun: ...could not start conn "z1"

[root at dev13 ~]# ipsec auto --replace z1
[root at dev13 ~]# ipsec auto --up --asynchronous z1
104 "z1" #5: STATE_MAIN_I1: initiate
[root at dev13 ~]# echo $?
104
[root at dev13 ~]#

And, in /var/log/secure we have:
Jun 19 00:24:31 dev13 pluto[4424]: "z1": deleting connection
Jun 19 00:24:31 dev13 pluto[4424]: "z1" #4: deleting state (STATE_QUICK_R2)
Jun 19 00:24:31 dev13 pluto[4424]: "z1" #3: deleting state (STATE_MAIN_R3)
Jun 19 00:24:31 dev13 pluto[4424]: "z1" #2: deleting state (STATE_QUICK_I2)
Jun 19 00:24:31 dev13 pluto[4424]: "z1" #1: deleting state (STATE_MAIN_I4)
Jun 19 00:24:31 dev13 pluto[4424]: added connection description "z1"
Jun 19 00:24:31 dev13 pluto[4424]: packet from MY_RIGHT_IP:500: Informational 
Exchange is for an unknown (expired?) SA
Jun 19 00:24:31 dev13 last message repeated 2 times
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: initiating Main Mode
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: ignoring unknown Vendor ID payload 
[4f455a7e4261425d725c705f]
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: received Vendor ID payload [Dead 
Peer Detection]
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: STATE_MAIN_I2: sent MI2, expecting 
MR2
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: I did not send a certificate 
because I do not have one.
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: STATE_MAIN_I3: sent MI3, expecting 
MR3
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: Main mode peer ID is ID_IPV4_ADDR: 
'MY_RIGHT_IP'
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #5: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Jun 19 00:24:38 dev13 pluto[4424]: "z1" #6: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#5}
Jun 19 00:24:39 dev13 pluto[4424]: "z1" #6: transition from state 
STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 19 00:24:39 dev13 pluto[4424]: "z1" #6: STATE_QUICK_I2: sent QI2, IPsec SA 
established {ESP=>0x96d98dcc <0xbf521405 xfrm=3DES_0-HMAC_MD5 NATD=none 
DPD=none}
Jun 19 00:24:50 dev13 pluto[4424]: "z1" #5: ignoring Delete SA payload: 
PROTO_IPSEC_ESP SA(0xaa62fac5) not found (maybe expired)
Jun 19 00:24:50 dev13 pluto[4424]: "z1" #5: received and ignored informational 
message

[root at dev13 ~]#

> And tell us what you see?
>

Also, if i add on my left router, in my ipsec.conf:
config setup
    plutowait=yes
and keep the rest intact, the message dissapear from my syslog:

[root at dev13 ~]# /etc/rc.d/init.d/ipsec status
IPsec stopped
[root at dev13 ~]# /etc/rc.d/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.4.8/K2.6.9-55.EL...
[root at dev13 ~]# ./eroute.pl
 in 10.0.100.0/24      -> 192.168.13.0/24    => tun0x272 at MY_RIGHT_IP
out 10.0.100.0/24      -> 192.168.13.0/24    => tun0x265 at MY_RIGHT_IP
fwd 10.0.100.0/24      -> 192.168.13.0/24    => tun0x282 at MY_RIGHT_IP
[root at dev13 ~]#

In /var/log/messages doesn't appear that strange message:
Jun 19 00:37:40 dev13 ipsec_setup: ...Openswan IPsec started
Jun 19 00:37:40 dev13 ipsec_setup: Starting Openswan IPsec 
U2.4.8/K2.6.9-55.EL...
Jun 19 00:37:42 dev13 ipsec__plutorun: 104 "z1" #1: STATE_MAIN_I1: initiate
Jun 19 00:37:42 dev13 ipsec__plutorun: 003 "z1" #1: ignoring unknown Vendor ID 
payload [4f455a7e4261425d725c705f]
Jun 19 00:37:42 dev13 ipsec__plutorun: 003 "z1" #1: received Vendor ID payload 
[Dead Peer Detection]
Jun 19 00:37:42 dev13 ipsec__plutorun: 106 "z1" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
Jun 19 00:37:42 dev13 ipsec__plutorun: 108 "z1" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
Jun 19 00:37:42 dev13 ipsec__plutorun: 004 "z1" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Jun 19 00:37:42 dev13 ipsec__plutorun: 117 "z1" #2: STATE_QUICK_I1: initiate
Jun 19 00:37:42 dev13 ipsec__plutorun: 004 "z1" #2: STATE_QUICK_I2: sent QI2, 
IPsec SA established {ESP=>0x74f98d3e <0x8228314a xfrm=3DES_0-HMAC_MD5 
NATD=none DPD=none}

So, a quick fixto this problem is to add to /etc/ipsec.conf:
config setup
    plutowait=yes
^^^^^^^^^^^^^^^^

Regards,
Alex


More information about the Dev mailing list