[Openswan Users] ipsec tunnel goes up and down (2.6.11.7 -> D-Link DI-824VUP+)

Oskar Liljeblad oskar at osk.mine.nu
Fri Apr 15 17:44:23 CEST 2005


Hello

I'm having trouble with my IPsec configuration. It seems to go down and up
quite frequently. It stays down, or up for that matter, for an hour or
longer.

Here's the setup:

The left side above is running Openswan native IPSEC on 2.6.11.7, and the
right side is a D-Link DI-824VUP+ VPN-router/gateway/multi-purpose device.
Here's my ipsec.conf:

conn dlink-subnet-alpha-subnet
    authby=secret
    left=%defaultroute
    leftsubnet=192.168.1.0/24
    leftsourceip=192.168.1.1
    right=194.XXX.XXX.XXX
    rightsubnet=192.168.0.0/24
    rightsourceip=192.168.0.1
    auto=start

Note that the left side has dynamic IP address, but this does not seem to be
the cause of the problem - the IP address is not changed. Here's the output
of 'ipsec auto --status' when the VPN is down:

000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 212.XXX.XXX.149
000 interface eth1/eth1 192.168.2.1
000 interface eth2/eth2 192.168.1.1
000 %myid = (none)
000 debug none
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "dlink-subnet-alpha-subnet": 192.168.1.0/24===212.XXX.XXX.149---212.XXX.XXX.254...194.XXX.XXX.XXX===192.168.0.0/24; erouted; eroute owner: #31
000 "dlink-subnet-alpha-subnet":     srcip=192.168.1.1; dstip=192.168.0.1
000 "dlink-subnet-alpha-subnet":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "dlink-subnet-alpha-subnet":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; 
000 "dlink-subnet-alpha-subnet":   newest ISAKMP SA: #40; newest IPsec SA: #31; 
000 "dlink-subnet-alpha-subnet":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
000  
000 #40: "dlink-subnet-alpha-subnet" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 114s; newest ISAKMP; nodpd
000 #31: "dlink-subnet-alpha-subnet" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1121s; newest IPSEC; eroute owner
000 #31: "dlink-subnet-alpha-subnet" esp.10050010 at 194.XXX.XXX.XXX esp.6833613 at 212.XXX.XXX.149 tun.0 at 194.XXX.XXX.XXX tun.0 at 212.XXX.XXX.149
000  

The last thing I see in my auth log before the VPN goes down is this:

15:42:12 pluto[406]: "dlink-subnet-alpha-subnet" #40: initiating Main Mode to replace #39
15:42:12 pluto[406]: | no IKE algorithms for this connection 
15:42:22 pluto[406]: "dlink-subnet-alpha-subnet" #40: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
15:42:22 pluto[406]: "dlink-subnet-alpha-subnet" #40: I did not send a certificate because I do not have one.
15:42:22 pluto[406]: "dlink-subnet-alpha-subnet" #40: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
15:42:23 pluto[406]: "dlink-subnet-alpha-subnet" #40: Main mode peer ID is ID_IPV4_ADDR: '194.XXX.XXX.XXX'
15:42:23 pluto[406]: "dlink-subnet-alpha-subnet" #40: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
15:42:23 pluto[406]: "dlink-subnet-alpha-subnet" #40: ISAKMP SA established Then a little later:
15:57:00 alpha pluto[406]: "dlink-subnet-alpha-subnet" #39: received Delete SA payload: deleting ISAKMP State #39
15:57:00 alpha pluto[406]: packet from 194.XXX.XXX.XXX:500: received and ignored informational message

It's just a matter of restarting Openswan to reinitialize the VPN. Note that
I get this weird error in my daemon log after the VPN has successfully
started:

16:28:15 ipsec__plutorun: 104 "dlink-subnet-alpha-subnet" #1: STATE_MAIN_I1: initiate
16:28:15 ipsec__plutorun: ...could not start conn "dlink-subnet-alpha-subnet"

At the same time in the auth log I see:

16:28:15 pluto[15787]: Starting Pluto (Openswan Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
16:28:15 pluto[15787]: Setting port floating to off
16:28:15 pluto[15787]: port floating activate 0/1
16:28:15 pluto[15787]:   including NAT-Traversal patch (Version 0.6c) [disabled]
16:28:15 pluto[15787]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
16:28:15 pluto[15787]: starting up 1 cryptographic helpers
16:28:15 pluto[15787]: started helper pid=15788 (fd:6)
16:28:15 pluto[15787]: Using Linux 2.6 IPsec interface code
16:28:15 pluto[15787]: Changing to directory '/etc/ipsec.d/cacerts'
16:28:15 pluto[15787]: Could not change to directory '/etc/ipsec.d/aacerts'
16:28:15 pluto[15787]: Changing to directory '/etc/ipsec.d/ocspcerts'
16:28:15 pluto[15787]: Changing to directory '/etc/ipsec.d/crls'
16:28:15 pluto[15787]:   Warning: empty directory
16:28:15 pluto[15787]: added connection description "dlink-subnet-alpha-subnet"
16:28:15 pluto[15787]: listening for IKE messages
16:28:15 pluto[15787]: adding interface eth2/eth2 192.168.1.1
16:28:15 pluto[15787]: adding interface eth1/eth1 192.168.2.1
16:28:15 pluto[15787]: adding interface eth0/eth0 212.XXX.XXX.149
16:28:15 pluto[15787]: adding interface lo/lo 127.0.0.1
16:28:15 pluto[15787]: loading secrets from "/etc/ipsec.secrets"
16:28:15 pluto[15787]: "dlink-subnet-alpha-subnet" #1: initiating Main Mode
16:28:15 pluto[15787]: | no IKE algorithms for this connection 
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #1: I did not send a certificate because I do not have one.
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #1: Main mode peer ID is ID_IPV4_ADDR: '194.XXX.XXX.XXX'
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #1: ISAKMP SA established
16:28:16 pluto[15787]: "dlink-subnet-alpha-subnet" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
16:28:17 pluto[15787]: "dlink-subnet-alpha-subnet" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
16:28:17 pluto[15787]: "dlink-subnet-alpha-subnet" #2: sent QI2, IPsec SA established {ESP=>0x12050010 <0xcaa57fe0}

What's wrong here?
Unfortunately the D-Link DI-824 VUP+ doesn't support certificates.

Regards,

Oskar Liljeblad (oskar at osk.mine.nu) [For searching: DLink DI 824 DI824 VUP VUP+ openswan linux]


More information about the Users mailing list