[Openswan Users] FreeSWAN "Error 14, Bad address" with host-to-host tunnel. DoesOpenSWAN resolve it?

Oleksandr Darchuk old at caspella.com
Tue Oct 19 15:27:57 CEST 2004 

Hello.

Sorry for possible offtopic, but FreeSWAN is dead and as I see, many
gurus now live in this list. So, would you like to give me advise:

I've working IPSEC gates in network with logical star topology (all
gates connect to "core" VPN gate. I've used "poor" IPSEC, but now decide
to migrate on GRE over IPSEC in order to use dynamic routing.
I've change tunnel config to host-to-host, restart. Everything works
fine. But when remote site reboot, "core" can't start ipsec tunnel and
write error instead of it:

======================================================================
Oct 19 08:26:10 pix pluto[972]: "utie" #118: received Delete SA payload:
replace
  IPSEC State #119 in 10 seconds
Oct 19 08:26:10 pix pluto[972]: "utie" #118: received Delete SA payload:
deleting ISAKMP State #118
Oct 19 08:26:20 pix pluto[972]: "utie" #120: initiating Main Mode
Oct 19 08:26:21 pix pluto[972]: ERROR: asynchronous network error report
on eth2
  for message to 10.214.0.254 port 500, complainant 10.214.0.2: No route
to host [errno 113, origin ICMP type 11 code 0 (not authenticated)]
Oct 19 08:26:30 pix pluto[972]: "utie" #119: IPsec SA expired (LATEST!)
Oct 19 08:26:38 pix pluto[972]: ERROR: asynchronous network error report
on eth2  for message to 10.214.0.254 port 500, complainant 10.214.0.2: 
No route  to host [errno 113, origin ICMP type 11 code 0 (not 
authenticated)]
Oct 19 08:27:50 pix pluto[972]: "utie" #121: responding to Main Mode
Oct 19 08:27:50 pix pluto[972]: "utie" #121: Peer ID is ID_IPV4_ADDR:
'10.214.0.254'
Oct 19 08:27:50 pix pluto[972]: "utie" #121: multiple ipsec.secrets
entries with
  distinct secrets match endpoints: first secret used
Oct 19 08:27:50 pix pluto[972]: "utie" #121: sent MR3, ISAKMP SA established
Oct 19 08:27:50 pix pluto[972]: "utie" #122: responding to Quick Mode
Oct 19 08:27:51 pix pluto[972]: ERROR: "utie" #122: pfkey write() of
SADB_X_ADDF
LOW message 883 for flow tun.10c8 at 10.214.0.254 failed. Errno 14: Bad address
Oct 19 08:27:51 pix pluto[972]: |   02 0e 00 09  17 00 00 00  73 03 00 
00  cc 03
  00 00
Oct 19 08:27:51 pix pluto[972]: |   03 00 01 00  00 00 10 c8  00 00 00
00  02 00
  00 00
Oct 19 08:27:51 pix pluto[972]: |   ff ff ff ff  00 00 00 00  03 00 05
00  00 00
  00 00
Oct 19 08:27:51 pix pluto[972]: |   02 00 00 00  0a 00 00 0c  00 00 00
00  00 00
  00 00
Oct 19 08:27:51 pix pluto[972]: |   03 00 06 00  00 00 00 00  02 00 00
00  0a 0e
  00 fe
Oct 19 08:27:51 pix pluto[972]: |   00 00 00 00  00 00 00 00  03 00 15
00  00 00
  00 00
Oct 19 08:27:51 pix pluto[972]: |   02 00 00 00  0a 00 00 0c  48 dd ff
bf  c1 34
  0f 40
Oct 19 08:27:51 pix pluto[972]: |   03 00 16 00  00 00 00 00  02 00 00
00  0a 0e
  00 fe
Oct 19 08:27:51 pix pluto[972]: |   48 dd ff bf  c1 34 0f 40  03 00 17
00  00 00
  00 00
Oct 19 08:27:51 pix pluto[972]: |   02 00 00 00  ff ff ff ff  10 00 00
00  15 00
  00 00
Oct 19 08:27:51 pix pluto[972]: |   03 00 18 00  00 00 00 00  02 00 00
00  ff ff ff ff
Oct 19 08:27:51 pix pluto[972]: |   15 00 00 00  ca 10 09 08
Oct 19 08:27:59 pix pluto[972]: "utie": deleting connection
Oct 19 08:27:59 pix pluto[972]: "utie" #120: deleting state (STATE_MAIN_I1)
Oct 19 08:27:59 pix pluto[972]: "utie" #122: deleting state (STATE_QUICK_R1)
Oct 19 08:27:59 pix pluto[972]: ERROR: "utie" #122: pfkey write() of
SADB_DELETE  message 886 for Delete SA esp.bb779c76 at 10.100.0.12 failed. 
Errno 3: No such process
Oct 19 08:27:59 pix pluto[972]: |   02 04 00 03  0b 00 00 00  76 03 00
00  cc 03
  00 00
Oct 19 08:27:59 pix pluto[972]: |   03 00 01 00  bb 77 9c 76  00 01 00
00  00 00
  00 00
Oct 19 08:27:59 pix pluto[972]: |   ff ff ff ff  00 00 00 00  03 00 05 
00  00 00  00 00
Oct 19 08:27:59 pix pluto[972]: |   02 00 00 00  0a 0e 00 fe  00 00 00
00  00 00  00 00
Oct 19 08:27:59 pix pluto[972]: |   03 00 06 00  00 00 00 00  02 00 00
00  0a 00  00 0c
Oct 19 08:27:59 pix pluto[972]: |   00 00 00 00  00 00 00 00
Oct 19 08:27:59 pix pluto[972]: "utie" #121: deleting state (STATE_MAIN_R3)
Oct 19 08:27:59 pix pluto[972]: ERROR: "utie": pfkey write() of
SADB_X_DELFLOW message 887 for flow int.0 at 0.0.0.0 failed. Errno 14: Bad 
address
Oct 19 08:27:59 pix pluto[972]: |   02 0f 00 0b  0e 00 00 00  77 03 00
00  cc 03
  00 00
Oct 19 08:27:59 pix pluto[972]: |   03 00 15 00  00 00 00 00  02 00 00
00  0a 00
  00 0c
Oct 19 08:27:59 pix pluto[972]: |   48 dd ff bf  c1 34 0f 40  03 00 16
00  00 00
  00 00
Oct 19 08:27:59 pix pluto[972]: |   02 00 00 00  0a 0e 00 fe  48 dd ff
bf  c1 34
  0f 40
Oct 19 08:27:59 pix pluto[972]: |   03 00 17 00  00 00 00 00  02 00 00
00  ff ff
  ff ff
Oct 19 08:27:59 pix pluto[972]: |   10 00 00 00  0e 00 00 00  03 00 18
00  00 00
  00 00
Oct 19 08:27:59 pix pluto[972]: |   02 00 00 00  ff ff ff ff  0e 00 00
00  ca 10
  09 08
Oct 19 08:28:00 pix pluto[972]: packet from 10.214.0.254:500:
Informational Exchange is for an unknown (expired?) SA
================================================================

Then I do ipsec auto --delete/--add and IPSEC established.

=================================================================
Oct 19 08:28:03 pix pluto[972]: added connection description "utie"
Oct 19 08:28:05 pix pluto[972]: "utie" #123: initiating Main Mode
Oct 19 08:28:06 pix pluto[972]: "utie" #123: multiple ipsec.secrets
entries with
  distinct secrets match endpoints: first secret used
Oct 19 08:28:06 pix pluto[972]: "utie" #123: Peer ID is ID_IPV4_ADDR:
'10.214.0.2
54'
Oct 19 08:28:06 pix pluto[972]: "utie" #123: ISAKMP SA established
Oct 19 08:28:06 pix pluto[972]: "utie" #124: initiating Quick Mode
RSASIG+ENCRYP
T+TUNNEL+PFS+UP {using isakmp#123}
Oct 19 08:28:06 pix pluto[972]: "utie" #124: sent QI2, IPsec SA
established {ESP
=>0x3caf24cf <0xbb779c77}
=================================================================

More interesting, that I have vary similar test configuration on another 
interface (I use it for test) and everything works fine :(

That's my config (from core, symmetric on remote):
conn utie
         # RSA 2192 bits   core   Fri Jul 30 15:33:54 2004
      	leftrsasigkey=...
         # RSA 2192 bits   remote   Sun Feb  8 06:28:41 2004
         rightrsasigkey=........
         auto=start
         # Left security gateway, subnet behind it, next hop
         left=10.100.0.12
         leftnexthop=10.100.0.1
	leftsubnet=10.100.0.12/32
         # Right security gateway, subnet behind it, next hop left.
         right=10.214.0.254
         rightnexthop=10.214.0.253
	righsunbet=10.214.0.254/32

When I replace left/rightsubnet by other values (LAN networks e. g.) -- 
everything works. But I need host-to-host for GRE.

On "core" I use FreeSWAN 2.0.5+X509/kernel 2.4.26, on remote I use 
FreeSWAN 2.0+X509/kernel 2.4.20, RH 7.2 on both

I'm confused by this error, because it's my working environment. All I 
can do -- try to migrate on OpenSWAN ( I need x509)

Can anyone give me some advises? Possible something wrong in my config? 
Or it's FreeSWAN bug?


Regards.

More information about the Users mailing list