[Openswan Users] what happens during /etc/init.d/ipsec stop ?

albert agusti aagusti at serialnet.net
Thu Dec 2 18:20:06 CET 2004 

On Wed, 2004-12-01 at 00:50, Paul Wouters wrote:

> On Tue, 30 Nov 2004, Albert Agusti wrote:
> 
> > I'm using openswan-2.2.0 (build from source) with last NAT-T patch on
> > kernel 2.6 family.
> 
> the nat-t patch as supplied by us (or obtained by 'make nattpatch' is only
> for use with KLIPS, not for use of the 2.6 NETKEY stack.
> 
> > I've two Linux boxes behind a NAT DSL router acting as tunnel ends. One
> > is configured as initiator of the tunnel (auto=start) and the other as
> > responder (auto=add). The problem is that EVERY TIME one of the systems
> > (tunnel ends) reboots or issues stop/start of ipsec proces, the tunnel
> > negotiation blocks at Main mode in "no connection has been authorized"
> > and !! THE ONLY way I find to solve this is to stop ipsec at both ends,
> > start the responder and start the initiator !!
> 
> If you stop one end, a Notify/Delete message is sent by that end. Do
> you receive that on the remote? Is it ignored?
> 
> Can you try 2.3.0dr4 and see if the problem remains?


Hello Paul, 

I've tested 2.3.0dr4. All the same :-( . After one end resets ipsec
(stop/start), Initiator gets blocked in Main Mode an the Reponder shows
:"no connection has been authorized". I'm really desesperated. My
hypotesis is now : "Am I doing somethig REALLY BAD ?" could you take a
look at the config below ? Is there something suspicious ? 

(only rsa skyped and real IP addresses changed)

Thanks in advance
Albert

Here is configuration

Side A (responder) (Left=Local)

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        #klipsdebug=all
        #plutodebug=all
        myid=@santacoloma.serialnet.net
        nat_traversal=yes
 
conn vpn-sc-sants
        keylife=48800
        right=B.B.B.B
        rightid=@sants.serialnet.net
        rightsubnet=192.168.1.64/26
        rightrsasigkey=0sAQN0c4pwgS1E6aZpjgE9b3x...
        left=192.168.3.2
        leftnexthop=192.168.3.1
        leftid=@santacoloma.serialnet.net
        leftsubnet=10.10.0.0/16
        leftrsasigkey=0sAQNlZppUgueMx9p1rDrhIrU2ZTqUb/Be....
        auto=add


Side B (initiator) (Left=Local)

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for
lots.
        #klipsdebug=all
        #plutodebug=all
        nat_traversal=yes
        myid=@sants.serialnet.net
 
#Definicióls extrems del tunnel de proves SantaColoma-Serveis educatius
Sants
#left(sants) Sortida per ADSL 217.125.26.237 i LAN 192.168.1.64/26
#right(santaco) Sortida per ADSL 80.32.111.213 i LAN 10.10.0.0/16
 
conn vpn-sc-sants
        keylife=48800
        left=192.168.5.2
        leftnexthop=192.168.5.1
        leftid=@sants.serialnet.net
        leftsubnet=192.168.1.64/26
        leftrsasigkey=0sAQN0c4pwgS1E6aZpjgE9....
        right=A.A.A.A
        rightid=@santacoloma.serialnet.net
        rightsubnet=10.10.0.0/16
        rightrsasigkey=0sAQNlZppUgueMx9p1rDrhIrU2ZTqUb/Beh0jSWk...
        auto=start



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041202/b7f952db/attachment.htm

More information about the Users mailing list