[Openswan Users] Fw: Unstable tunnel

Ole Morten olemotor at gmail.com
Fri Apr 29 11:04:21 CEST 2005


> 
>> Apr 28 06:38:46 dogbert ipsec_setup: WARNING: cannot flush state/policy database -- `%defaultroute'. Install a newer version o
>> f iproute/iproute2 or install the ipsec-tools package to obtain the setkey command.
> 
> The error is quite clear.

Installing ipsec-tools removed the warning, but the behaviour of ipsec is the same. I guess a dive into docs is required. Any tip is appreciated.
Many thanks
Ole M.

----- Original Message ----- 
From: Ole Morten 
To: users at openswan.org 
Sent: Thursday, April 28, 2005 9:57 AM
Subject: Unstable tunnel


Hi,

I have been using FreeSWAN 2.06 on a Mandrake Linux with kernel 2.4.25. Three tunnels are configured, two of them connects via a Nortel Contivity 1010, and for these tunnels I experience annoying outages approx. every hour. Every outage last about 1-5 minutes.

I have tested OpenSWAN 2.3.0 1rhel.i386 rpm and OpenSWAN 2.3.1 for fc3 together with kernels 2.4.25, 2.6.3, 2.6.8 and 2.6.11. The behaviour is pretty much the same on all kernel versions.  ipsec.conf (see below) is not changed from the FreeSWAN setup and the 3 tunnels are up, however those to the Nortel box will stop working after a few hours. The two tunnels do never seem to fail at the same time. The tunnels may reestablish automatically after a couple of hours, or if the ipsec service is restarted it works immediately. 

The one tunnel that fails mostly have more traffic, maybe that is part of the reason? Any help is highly appreciated.
Regards
Ole

ipsec.conf (public addresses are changed)
version 2.0

conn %default
left=183.212.134.154
leftnexthop=%defaultroute
        leftid=183.212.134.154
right=111.212.125.6
rightsubnet=10.0.0.0/8
rightnexthop=
rightid=111.212.125.6
type=tunnel
auto=start
keyexchange=ike
auth=esp
authby=secret
pfs=yes
conn main_off_1
leftsubnet=10.100.5.0/24
conn main_off_2
        leftsubnet=10.100.5.0/24
        right=204.110.137.189
        rightsubnet=10.100.7.0/24
        rightid=204.110.137.189
conn main_off_3
        leftsubnet=10.100.5.0/24
        right=204.110.137.189
        rightsubnet=10.100.8.0/24
        rightid=204.110.137.189
conn block
       auto=ignore
conn private
       auto=ignore
conn private-or-clear
       auto=ignore
conn clear-or-private
       auto=ignore
conn clear
       auto=ignore
conn packetdefault
       auto=ignore

Log when starting OpenSWAN 2.3.1 (after this I upgraded iproute2 to version 2.6.10)

Apr 28 06:38:46 dogbert kernel: NET: Unregistered protocol family 15
Apr 28 06:38:46 dogbert ipsec_setup: ...Openswan IPsec stopped
Apr 28 06:38:46 dogbert ipsec_setup: Stopping Openswan IPsec...
Apr 28 06:38:46 dogbert kernel: NET: Registered protocol family 15
Apr 28 06:38:46 dogbert kernel: Initializing IPsec netlink socket
Apr 28 06:38:46 dogbert ipsec_setup: WARNING: cannot flush state/policy database -- `%defaultroute'. Install a newer version o
f iproute/iproute2 or install the ipsec-tools package to obtain the setkey command.
Apr 28 06:38:46 dogbert ipsec_setup: KLIPS ipsec0 on eth0 183.212.134.154/255.255.255.252 broadcast 183.212.134.155
Apr 28 06:38:46 dogbert ipsec_setup: ...Openswan IPsec started
Apr 28 06:38:47 dogbert ipsec_setup: Starting Openswan IPsec 2.3.1...
Apr 28 06:38:47 dogbert ipsec_setup: insmod /lib/modules/2.6.11-1mdksmp/kernel/net/key/af_key.ko.gz
Apr 28 06:38:47 dogbert ipsec_setup: insmod /lib/modules/2.6.11-1mdksmp/kernel/net/ipv4/xfrm4_tunnel.ko.gz
Apr 28 06:38:47 dogbert ipsec_setup: insmod /lib/modules/2.6.11-1mdksmp/kernel/net/xfrm/xfrm_user.ko.gz
Apr 28 06:38:47 dogbert ipsec_setup: ipsec_setup: WARNING: cannot flush state/policy database -- `%defaultroute'. Install a ne
wer version of iproute/iproute2 or install the ipsec-tools package to obtain the setkey command.
Apr 28 06:38:47 dogbert ipsec__plutorun: 104 "main_off_1" #1: STATE_MAIN_I1: initiate
Apr 28 06:38:47 dogbert ipsec__plutorun: ...could not start conn "main_off_1"
Apr 28 06:38:48 dogbert ipsec__plutorun: 104 "main_off_2" #2: STATE_MAIN_I1: initiate
Apr 28 06:38:48 dogbert ipsec__plutorun: ...could not start conn "main_off_2"

When the failure occured on 2.3.0 /var/log/secure sometimes (not always) show the following:

Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: next payload type of ISAKMP Hash Payload has an unknown value: 19
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: malformed payload in packet
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: sending notification PAYLOAD_MALFORMED to 204.110.137.189:500
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: next payload type of ISAKMP Hash Payload has an unknown value: 99
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: malformed payload in packet
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: sending notification PAYLOAD_MALFORMED to 204.110.137.189:500
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: byte 2 of ISAKMP Hash Payload must be zero, but is not
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: malformed payload in packet
Apr 26 15:57:19 dogbert pluto[30737]: "main_off_3" #12: sending notification PAYLOAD_MALFORMED to 204.110.137.189:500
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20050429/3ef3f941/attachment.htm


More information about the Users mailing list