[Openswan Users] IPSec Connections hanging around after Windows L2TP die or exit

Duncan Reed duncan at elminster.com
Thu Dec 9 16:22:54 CET 2004 

There seem to be a number of hist on the list but they seem to offer
conflicting advice. Bit long this one.

Windows IPSec/L2TP clients connect fine, they do some work, they lose
there connection while NOT being idle at a (seemly) random period of
time (Happened from anywhere between 5 mins to 1hr+).

Eventually (I guess) the dead peer connection picks it up and you see it
go into %hold. At some point I think after dpdtimeout is reach its
cleared.

Until it clears the client with that ip address cannot log back into the
VPN.

You can see when the client tries to log back in and the connection is
on hold as openswan starts throwing messages like

pfkey write() of SADB_X_ADDFLOW message 78 for flow esp.c4fb538c@<client
ip> failed. Errno 14: Bad address
 pfkey write() of SADB_DELETE message 71 for Delete SA
esp.63292956 at 2@<server ip> failed. Errno 3: No such process

in the logfile. Meanwhile people can still connect to the vpn if they
are coming from a different ip (unless the samething happens to them).

If on the other hand a Windows client exits cleanly 50% of the time the
ipsec connection seems to stay partially alive and will keep trying to
rekey with the non existant client (I guess I could change keyingtries).
The log will start to fill with:

Dec  8 23:17:13 gatekeeper pluto[20958]: "roadwarrior-l2tp"[2]
82.35.108.53 #61: max number of retransmissions (20) reached
STATE_MAIN_I1.  No acceptable response to our first IKE message
Dec  8 23:17:13 gatekeeper pluto[20958]: "roadwarrior-l2tp"[2]
82.35.108.53 #61: starting keying attempt 27 of an unlimited number
Dec  8 23:17:13 gatekeeper pluto[20958]: "roadwarrior-l2tp"[2]
82.35.108.53 #65: initiating Main Mode to replace #61

Doing ipsec eroute will show the route still exists. Unlike when the
windows client exits unexpectedly a client from this ip address can
reconnect successfully. 

This happens on both XP and 2K, it seems to happen for often when
multiple users are connected. The VPN server is NOT NATted the Clients
are NATted behind their ADSL/Cable Routers.

Is this an issue with L2TPD or would you guess that the ipsec
configuration needs changing? Not sure if I have 1 or 2 issues here.
This is openswan 1.0.7 on IPCop BTW.

Thanks in advance
Duncan

More information about the Users mailing list