[Openswan Users] Tunnel disappeared after working between Smoothwall and Debian

[Paul Wouters]

On Tue, 25 May 2004, Joost Kraaijeveld wrote:

> "ipsec restart" on both sides results in the following message:
> 
> Smoothwall side:
> 
> May 25 20:56:23 argos pluto[425]: shutting down
> May 25 20:56:23 argos pluto[425]: forgetting secrets
> May 25 20:56:23 argos pluto[425]: shutting down interface ipsec0/eth2 212.238.157.192
> May 25 20:56:27 argos ipsec__plutorun: Starting Pluto subsystem...
> May 25 20:56:27 argos pluto[652]: Starting Pluto (FreeS/WAN Version 1.99)
> May 25 20:56:28 argos pluto[652]: listening for IKE messages
> May 25 20:56:28 argos pluto[652]: adding interface ipsec0/eth2 212.238.157.192
> May 25 20:56:28 argos pluto[652]: loading secrets from "/etc/ipsec.secrets"
> May 25 20:56:52 argos pluto[652]: packet from 213.46.144.131:500: initial Main Mode message received on 212.238.157.192:500 but no connection has been authorized
> May 25 20:57:32 argos pluto[652]: packet from 213.46.144.131:500: initial Main Mode message received on 212.238.157.192:500 but no connection has been authorized
> May 25 20:58:52 argos last message repeated 2 times
 
I don't see any conn's being "added".  (not sure if freeswan-1.99 logged those, but I'd assume they would)


> May 25 23:18:10 linuxbuiten pluto[2954]: "askesis-solve-i-t" #4: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no
> May 25 23:18:10 linuxbuiten pluto[2954]: "askesis-solve-i-t" #4: starting keying attempt 3 of an unlimited number
> May 25 23:18:10 linuxbuiten pluto[2954]: "askesis-solve-i-t" #5: initiating Main Mode to replace #4

This sends a packet which is refused with the "no connection is known"
 
> May 25 22:51:47 linuxbuiten ipsec_setup: ...Openswan IPsec started
> May 25 22:51:50 linuxbuiten ipsec__plutorun: 104 "askesis-xtdnet" #1: STATE_MAIN_I1: initiate
> May 25 22:51:50 linuxbuiten ipsec__plutorun: ...could not start conn "askesis-xtdnet"
> May 25 22:51:50 linuxbuiten ipsec__plutorun: 104 "askesis-solve-i-t" #2: STATE_MAIN_I1: initiate
> May 25 22:51:50 linuxbuiten ipsec__plutorun: ...could not start conn "askesis-solve-i-t"

These were added and even upped, but the conns fail. I don't know why. But since I am one endpoint
of that conn, I tried to start it:

# ipsec auto --up askesis
112 "askesis" #107: STATE_QUICK_I1: initiate
004 "askesis" #107: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe4df5dad <0x8d50ee4b}

and it just came up fine.
 
> Anyone any idea where to look?

I'd look on argos.....

Paul