Hi,<br><br>Yesterday I sent the same comment in the User's list. But I think it would be appropriate to discuss about the bug in dev list.<br><br>I have been using openswan 2.6.24 with NETKEY for quite a long time.<br>
I
had a requirement for DYNDNS based remote host support for making the
connections. As there is support added, I tried with the 2.6.24 version
and could not succeed.<br>
I searched out for bug#1201 with the exact reason. So I uprated to
version 2.6.33. But the problem is still there. Even I tried latest
version i.e. 2.6.38 but the result is same.<br><br>According to the RCA done for the bug, "conn->dnshostname" is NULL. The specified solution was to work with ipsec whack.<br>
<br>I tried with that. Please correct me if my approach for the problem
is wrong. I have put remote as "ddnstest" and added entry in the
/etc/hosts file.<br>I add one connection with ipsec whack. Initiate the
connection. Later I change my remote host's IP and add the according
entry in /etc/hosts.<br>
The dpdtimeout happens as the former IP no longer available and thus I
get the DPD in which case my action restart triggers the initiation of
the connection.<br>Still my connection is initiated to the same IP as before.<br>
<br>Point me if I am doing something wrong.<br>Find the details of the steps I have done so far and the logs as below.<br><br>root@ng:~# ipsec auto --status<br>000 using kernel interface: netkey<br>000 interface lo/lo 127.0.0.1<br>
000 interface lo/lo 127.0.0.1<br>000 interface eth2.2/eth2.2 10.103.7.133<br>000 interface eth2.2/eth2.2 10.103.7.133<br>000 interface br-lan/br-lan 10.1.2.1<br>000 interface br-lan/br-lan 10.1.2.1<br>000 %myid = (none)<br>
000 debug none<br>000 <br>000 virtual_private (%priv):<br>000 - allowed 0 subnets: <br>000 - disallowed 0 subnets: <br>000 WARNING: Either virtual_private= is not specified, or there is a syntax <br>000 error in that line. 'left/rightsubnet=vhost:%priv' will not work!<br>
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have <br>000 private address space in internal use, it should be excluded!<br>000 <br>000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64<br>
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192<br>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256<br>
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256<br>000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128<br>
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160<br>000 <br>000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131<br>000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128<br>
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192<br>000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128<br>
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128<br>000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128<br>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16<br>
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20<br>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32<br>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64<br>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024<br>
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536<br>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048<br>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072<br>
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096<br>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144<br>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192<br>
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024<br>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048<br>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048<br>000 <br>
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,216} attrs={0,2,288} <br>000 <br>000 <br>000 <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>root@ng:~# <br>
root@ng:~# cat /etc/ipsec.conf <br>version 2.0 # conforms to second version of ipsec.conf specification<br><br>config setup<br> nat_traversal=yes<br> oe=off<br> protostack=netkey<br><br><br>conn ngpassthrough<br>
left=10.1.2.1<br> right=0.0.0.0<br> leftsubnet=<a href="http://10.1.2.0/255.255.255.0" target="_blank">10.1.2.0/255.255.255.0</a><br> rightsubnet=<a href="http://10.1.2.0/255.255.255.0" target="_blank">10.1.2.0/255.255.255.0</a><br>
authby=never<br> type=passthrough<br> auto=route<br><br>conn ng<br> right=ddnstest<br> rightsubnet=<a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a><br> left=10.103.7.133<br>
leftsubnet=<a href="http://10.1.2.0/255.255.255.0" target="_blank">10.1.2.0/255.255.255.0</a><br>
leftnexthop=10.103.6.1<br> auto=start<br> #x_rightdynamic=yes<br> authby=secret<br> compress=no<br> failureshunt=drop<br> dpddelay=15<br> dpdtimeout=60<br> dpdaction=restart<br>
pfs=yes<br> ike=aes128-md5-modp1024,<div>aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048<br>
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1<br><br>root@ng:~# cat /etc/ipsec.secrets <br>10.103.7.133 ddnstest : PSK "adminadmin"<br>root@ng:~# <br>root@ng:~# <br>
root@ng:~# ipsec whack --name test --encrypt --tunnel --pfs --dpddelay 15 --dpdtimeout 60 --dpdaction restart --psk --host 10.<br>103.7.133 --nexthop 10.103.6.1 --client <a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a> --to --host ddnstest --client <a href="http://10.1.1.0/24" target="_blank">10.1.1.0/24</a><br>
002 added connection description "test"<br>root@ng:~# <br>root@ng:~# ipsec whack --initiate --name test<br>002 "test" #11: initiating Main Mode<br>104 "test" #11: STATE_MAIN_I1: initiate<br>
003 "test" #11: ignoring unknown Vendor ID payload [4f45557d6068416e77737478]<br>
003 "test" #11: received Vendor ID payload [Dead Peer Detection]<br>003 "test" #11: received Vendor ID payload [RFC 3947] method set to=109 <br>002 "test" #11: enabling possible NAT-traversal with method 4<br>
002 "test" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>106 "test" #11: STATE_MAIN_I2: sent MI2, expecting MR2<br>003 "test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
002 "test" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>108 "test" #11: STATE_MAIN_I3: sent MI3, expecting MR3<br>003 "test" #11: received Vendor ID payload [CAN-IKEv2]<br>
002 "test" #11: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.70'<br>002 "test" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>004 "test" #11: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}<br>
002 "test" #11: Dead Peer Detection (RFC 3706): enabled<br>002 "test"
#12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11
msgid:faa36d7a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}<br>
117 "test" #12: STATE_QUICK_I1: initiate<br>002 "test" #12: Dead Peer Detection (RFC 3706): enabled<br>002 "test" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>004
"test" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x81cd918c <0xf4534088 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}<br>
root@ng:~# <br>root@ng:~# <br>root@ng:~# vi /etc/hosts <br><br>127.0.0.1 localhost.<br>10.103.6.71 ddnstest<br><br><br><br><br><br>LOGS from /var/log/messages...<br>Dec 4 17:35:31 ng authpriv.warn pluto[11096]: added connection description "test"<br>
<br>Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: initiating Main Mode<br>Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: ignoring unknown Vendor ID payload [4f45557d6068416e77737478]<br>
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor ID payload [Dead Peer Detection]<br>Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor ID payload [RFC 3947] method set to=109 <br>
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: enabling possible NAT-traversal with method 4<br>Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2<br>
Dec 4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I2: sent MI2, expecting MR2<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I3: sent MI3, expecting MR3<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: received Vendor ID payload [CAN-IKEv2]<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.70'<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4<br>Dec
4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Dead Peer Detection (RFC 3706): enabled<br>Dec
4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11 msgid:faa36d7a
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: Dead Peer Detection (RFC 3706): enabled<br>Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br>
Dec 4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x81cd918c <0xf4534088 xfrm=AES_128-HMAC_SHA1 NATOA=none
NATD=none DPD=enabled}<br>
<br><br>Dec 4 17:36:16 ng authpriv.warn pluto[11096]: ERROR:
asynchronous network error report on eth2.2 (sport=500) for message to
10.103.6.70 port 500, complainant <a href="http://10.103.6.71/" target="_blank">10.103.6.71</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
<br>Dec 4 17:36:31 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.6.71/" target="_blank">10.103.6.71</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:36:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:01 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: No response from peer - declaring peer dead<br>Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: Restarting Connection<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state (STATE_QUICK_I2)<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state (STATE_QUICK_I2)<br>Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink response for Del SA <a href="mailto:esp.81cd918c@10.103.6.70" target="_blank">esp.81cd918c@10.103.6.70</a> included errno 3: No such process<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink response for Del SA <a href="mailto:esp.f4534088@10.103.7.133" target="_blank">esp.f4534088@10.103.7.133</a> included errno 3: No such process<br>
Dec 4 17:37:13 ng authpriv.warn pluto[11096]: "test" #13: initiating Main Mode to replace #11<br>
Dec 4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:37:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:38:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]<br>
Dec 4 17:39:06 ng authpriv.warn pluto[11096]: ERROR: asynchronous
network error report on eth2.2 (sport=500) for message to 10.103.6.70
port 500, complainant <a href="http://10.103.7.133/" target="_blank">10.103.7.133</a>: No route to host [errno 148, origin ICMP type 3 code 1 (not authenticated)]</div>