[Openswan Users] Ping through tunnel suddenly stops

Paul Wouters paul at xelerance.com
Mon May 24 15:52:26 CEST 2004


On Mon, 24 May 2004, Sybille Ebert wrote:

> I have a tunnel between two machines without a default route. After a 
> minute or two of successful pinging, tunnel stops and the following is 
> logged:

Are you sure those first few pings are crypted? You cannot run tcpdump and 
check from the sending machine because of the linux packet pie. Instead,
run tcpdump on the receiving host (or better, use a hub and a third host)
to double check.

> ERROR: netlink response for Add SA ... included errno 17: File exists
> max number of retransmissions (2) reached STATE_QUICK_R1

It seems one side is trying to add an already existing tunnel into the kernel.
 
> ESP packets are still being sent by first gateway, but seem to be 
> dropped by the other. Last line of ipsec auto --status prints:
> 
> 000 192.168.1.16/32:0 -1-> 192.168.1.17/32:0 => %hold 0    %acquire-netlink

I've never seen %acquire-netlink before. I assume this is a problem of pluto 
trying to talk (via netlink) to the kernel.
 
> The problem only occurs when ipsec is first started. If I do "ipsec 
> restart", the problem disappears.

Can you try to manually modprobing the af_key and esp4 modules before your first
start and then start to see if the problem goes away. If it does, can you then
edit _startklips and add a 'sleep 5' after modprobing those modules and see if
that fixes your problem? The netlink and ipsec kernel modules might be taking a
little bit of time to load or initiate, causing some messages to get lost, or at
least pluto thinks they are lost, and tries to push thm into the netlink device
again at a later time.

Paul



More information about the Users mailing list