[Openswan Users] again: strange log messages on a NATed connection

Ingo Freund Ingo.Freund at e-dict.net
Thu Sep 23 14:55:19 CEST 2004


Hi list,

I am watching a strange (for me) behaviour of an ipsec connection
which I would like to switch off if possible.
The connection is NATed on the client side and seems to be stable.
Looking at the system log there are tons of messages like those
below.

[server]
conection comes up:
Sep 15 11:58:36 maingw pluto[898]: packet from cl.cl.cl.cl:500: received Vendor ID payload [Dead Peer Detection]
Sep 15 11:58:36 maingw pluto[898]: packet from cl.cl.cl.cl:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 11:58:36 maingw pluto[898]: packet from cl.cl.cl.cl:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 15 11:58:36 maingw pluto[898]: packet from cl.cl.cl.cl:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 15 11:58:36 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl #13528: responding to Main Mode from unknown peer cl.cl.cl.cl
Sep 15 11:58:36 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl #13528: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03:
peer is NATed
Sep 15 11:58:37 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl #13528: Peer ID is ID_FQDN: '@client'
Sep 15 11:58:37 maingw pluto[898]: | NAT-T: new mapping cl.cl.cl.cl:500/4500)
Sep 15 11:58:37 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl:4500 #13528: sent MR3, ISAKMP SA established
Sep 15 11:58:37 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl:4500 #13529: responding to Quick Mode
Sep 15 11:58:38 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl:4500 #13529: IPsec SA established {ESP=>0x09c95977 <0x459d48ae
NATOA=0.0.0.0}
...nothing happens concerning the ipsec connection
then:
Sep 15 12:43:23 maingw pluto[898]: packet from cl.cl.cl.cl:4500: received Vendor ID payload [Dead Peer Detection]
Sep 15 12:43:23 maingw pluto[898]: packet from cl.cl.cl.cl:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 12:43:23 maingw pluto[898]: packet from cl.cl.cl.cl:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 15 12:43:23 maingw pluto[898]: packet from cl.cl.cl.cl:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 15 12:43:23 maingw pluto[898]: "conn1"[230] cl.cl.cl.cl:4500 #13538: responding to Main Mode from unknown peer cl.cl.cl.cl:4500
Sep 15 12:43:23 maingw pluto[898]: "conn1"[230] cl.cl.cl.cl:4500 #13538: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
Sep 15 12:43:24 maingw pluto[898]: "conn1"[230] cl.cl.cl.cl:4500 #13538: Peer ID is ID_FQDN: '@client'
Sep 15 12:43:24 maingw pluto[898]: "conn1"[230] cl.cl.cl.cl:4500 #13538: sent MR3, ISAKMP SA established
Sep 15 12:44:33 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl:4500 #13539: responding to Quick Mode
Sep 15 12:44:33 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl:4500 #13539: IPsec SA established {ESP=>0x09c95978 <0x459d48b3
NATOA=0.0.0.0}

[client]
conection comes up:
Sep 15 11:58:36 client pluto[1684]: "conn1" #1: initiating Main Mode
Sep 15 11:58:36 client ipsec__plutorun: 104 "conn1" #1: STATE_MAIN_I1: initiate
Sep 15 11:58:36 client ipsec__plutorun: ...could not start conn "conn1"
Sep 15 11:58:36 client pluto[1684]: "conn1" #1: received Vendor ID payload [Dead Peer Detection]
Sep 15 11:58:36 client pluto[1684]: "conn1" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 11:58:36 client pluto[1684]: "conn1" #1: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Sep 15 11:58:36 client pluto[1684]: "conn1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Sep 15 11:58:37 client pluto[1684]: "conn1" #1: Peer ID is ID_FQDN: '@maingw'
Sep 15 11:58:37 client pluto[1684]: "conn1" #1: ISAKMP SA established
Sep 15 11:58:37 client pluto[1684]: "conn1" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+UP {using isakmp#1}
Sep 15 11:58:37 client pluto[1684]: "conn1" #2: sent QI2, IPsec SA established {ESP=>0x459d48ae <0x09c95977 NATOA=0.0.0.0}
...nothing happens concerning the ipsec connection
then:
Sep 15 12:43:23 client pluto[1684]: "conn1" #3: initiating Main Mode to replace #1
Sep 15 12:43:23 client pluto[1684]: "conn1" #3: received Vendor ID payload [Dead Peer Detection]
Sep 15 12:43:23 client pluto[1684]: "conn1" #3: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 12:43:23 client pluto[1684]: "conn1" #3: enabling possible NAT-traversal with method RFC XXXX (NAT-Traversal)
Sep 15 12:43:24 client pluto[1684]: "conn1" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Sep 15 12:43:24 client pluto[1684]: "conn1" #3: Peer ID is ID_FQDN: '@maingw'
Sep 15 12:43:24 client pluto[1684]: "conn1" #3: ISAKMP SA established
Sep 15 12:44:33 client pluto[1684]: "conn1" #4: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+UP to replace #2 {using isakmp#3}
Sep 15 12:44:33 client pluto[1684]: "conn1" #4: sent QI2, IPsec SA established {ESP=>0x459d48b3 <0x09c95978 NATOA=0.0.0.0}

errors
nothing happens
but 10 minutes later I get this:
[server]
Sep 15 12:54:07 maingw pluto[898]: "conn1"[228] cl.cl.cl.cl:4500 #13540: initiating Main Mode to replace #13528
[client]
Sep 15 12:54:07 client pluto[1684]: packet from sv.sv.sv.sv:4500: received Vendor ID payload [Dead Peer Detection]
Sep 15 12:54:07 client pluto[1684]: packet from sv.sv.sv.sv:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 12:54:07 client pluto[1684]: packet from sv.sv.sv.sv:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 15 12:54:07 client pluto[1684]: packet from sv.sv.sv.sv:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 15 12:54:07 client pluto[1684]: packet from sv.sv.sv.sv:4500: initial Main Mode message received on 192.168.3.20:4500 but no
connection has been authorized

from now on every 10 seconds:
[server]
nothing
[client]
Sep 15 12:54:17 client pluto[1684]: packet from sv.sv.sv.sv:4500: received Vendor ID payload [Dead Peer Detection]
Sep 15 12:54:17 client pluto[1684]: packet from sv.sv.sv.sv:4500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Sep 15 12:54:17 client pluto[1684]: packet from sv.sv.sv.sv:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Sep 15 12:54:17 client pluto[1684]: packet from sv.sv.sv.sv:4500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Sep 15 12:54:17 client pluto[1684]: packet from sv.sv.sv.sv:4500: initial Main Mode message received on 192.168.3.20:4500 but no
connection has been authorized

Regards - Ingo.



More information about the Users mailing list