[Openswan Users] Errata

Wed Jul 7 13:24:45 CEST 2004

Hi all,

I'm experiencing a strange behavior on my net-to-net connection.
Actually I have 2 remote sites connected through an IPsec tunnel. I use
on both gateways the 2.1.2 version of OpenSwan and 2.4.26 kernel. The
system works fine, but mostly I get this error message in the secure
log:

Jul  7 00:07:54 remotesite pluto[26378]: packet from
234.234.234.234:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03]
Jul  7 00:07:54 remotesite pluto[26378]: packet from
234.234.234.234:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
Jul  7 00:07:54 remotesite pluto[26378]: packet from
234.234.234.234:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jul  7 00:07:54 remotesite pluto[26378]: packet from
234.234.234.234:4500: initial Main Mode message received on 1.1.1.8:4500
but no connection has been authorized

The error comes up every 8-9 seconds on the remote site. The scructure
is this:

remotesite eth0(1.1.1.8) ---> router NAT 123.123.123.123 ---> localsite
234.234.234.234 ---> localnet

remotesite is the box making the connection and this is the conf file:

config setup
    interfaces="ipsec0=eth0"
    nat_traversal=yes
conn %default
    keyingtries=0
    authby=rsasig
conn remote-to-local
    #### THIS CONNECTS TO THE LOCALSITE ####
    leftid=@remotesitemachine
    left=1.1.1.8
    #leftnexthop=172.16.0.1
    leftsubnet=172.16.1.0/24
    rightrsasigkey=...
    #
    #### Gateway su Milano ####
    right=123.123.123.123
    #rightnexthop=%defaultroute
    rightsubnet=192.168.0.0/24
    rightid=@localsitemachine
    leftrsasigkey=...
    auto=add
    authby=rsasig
    rekey=no
    failureshunt=passthrough
    pfs=no
    compress=no
    type=tunnel

As I said, the connection seems work fine... but sometimes the tunnel
falls down.

On the localsite box I got the following messagges in the secure log:

Jul  7 12:09:34 mi00vpn01 pluto[7369]: "rome_to_milan_01"[6]
123.123.123.123:53231 #310: max number of retransmissions (20) reached
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
message
Jul  7 12:09:34 localsite pluto[7369]: "rome_to_milan_01"[6]
123.123.123.123:53231 #310: starting keying attempt 35 of an unlimited
number
Jul  7 12:09:34 localsite pluto[7369]: "rome_to_milan_01"[6]
123.123.123.123:53231 #313: initiating Main Mode to replace #310
Jul  7 12:13:33 localsite pluto[7369]: "rome_to_milan_01"[5]
123.123.123.123:53231 #311: max number of retransmissions (20) reached
STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE
message
Jul  7 12:13:33 localsite pluto[7369]: "rome_to_milan_01"[5]
123.123.123.123:53231 #311: starting keying attempt 71 of an unlimited
number
Jul  7 12:13:33 localsite pluto[7369]: "rome_to_milan_01"[5]
123.123.123.123:53231 #314: initiating Main Mode to replace #311

The config file on the local box is this one:

config setup
    interfaces="ipsec0=eth0"
    nat_traversal=yes
conn rome_to_milan_01
    #### MILANO - GALILEO GALILEI ####
    leftid=@localsitemachine
    left=234.234.234.234
    #leftnexthop=192.168.0.2
    leftsubnet=192.168.0.0/24
    leftrsasigkey=...
    #
    #### Remote site ####
    rightid=@remotesitemachine
    right=%any
    rightsubnet=172.16.1.0/24
    #rightnexthop=%defaultroute
    rightrsasigkey=...
    auto=add
    authby=rsasig
    rekey=yes
    failureshunt=passthrough
    keyingtries=0
    pfs=no
    compress=no
    type=tunnel

any hints? The connection works and the nets are connected, but my
problem is that the tunnels falls sometimes. The connections are between
two different ISPs, and I cannot reach quickly the other site... any
help should be appreciated :)

Sorry for earlier email, hit the wrong button :p

Cheers

En3pY

-