[Openswan Users] One Hour Disconnect?

Peter McGill petermcgill at goco.net
Thu Dec 15 14:39:28 CET 2005 

Hello,

I recently setup a tunnel between:
Local: OpenSWAN 2.4.4 on Linux Kernel 2.4.31
Remote: Nortel Contivity VPN Switch (1700 I think)

The remote end is at a business partner's site, so I
don't have complete access to the configs/etc. on it.
We setup over the phone, it took a number of attempts
to find a configuration both liked, but eventually we
settled on PSK, 3DES, MD5, DH 2 modp-1024.
(no compression)

The connection is established, and works for about one
hour. The logs seem to indicate that the ISAKMP SA
is renegotiated at about 45 minutes in. I have tested
the connection after this and it is still working, but at
about one hour we receive a Delete SA from the
Nortel box and the connection goes down without
reconnecting. At this point I have to manually force
reconnection via: ipsec auto --up or --route.

If someone is familiar with this problem I could use
some help, I have tried using both auto=start and
auto=route in the config, and both with DPD on and
off. I also increased ikelifetime to 2 hours, no effect.

If my memory is correct the Nortel box should have:
Idle Timeout: 0
Rekey Timeout: 8 hours
I have a request with the remote tech to confirm this again.

As a note for completeness, I also connect to several other
OpenSWAN's for branch office communication, these stay
on all the time without difficulty, rekeying as they should.

Here are the recent logs for the connection, and the
associated conf sections.

/etc/ipsec.conf:
version 2.0

config setup
 interfaces=%defaultroute
 uniqueids=yes

include /etc/ipsec.d/examples/no_oe.conf

conn sunoco-172-16-19-net-to-london-office-net
 left=66.11.74.93
 leftnexthop=%defaultroute
 leftsubnet=172.21.0.0/16
 alsoflip=sunoco-toronto
 rightsubnet=172.16.0.0/14
 auto=route

conn sunoco-192-168-net-to-london-office-net
 left=66.11.74.93
 leftnexthop=%defaultroute
 leftsubnet=172.21.0.0/16
 alsoflip=sunoco-toronto
 rightsubnet=192.168.0.0/16
 auto=route

conn sunoco-toronto
 left=199.212.129.226
 leftnexthop=%defaultroute
 also=sunoco

conn sunoco
 # keyexchange=ike
 # aggrmode=no
 # auth=esp
 # 3des-md5-modp1024
 ike=3des
 esp=3des
 # pfs=yes
 # ikelifetime=1.0h
 ikelifetime=2.0h
 # keylife=8.0h
 # rekey=yes
 # compress=yes
 compress=no
 # keyingtries=%forever
 keyingtries=3
 dpddelay=30
 dpdtimeout=120
 # dpdaction=hold
 dpdaction=clear
 authby=secret
End: /etc/ipsec.conf

/var/log/secure:
Dec 14 10:40:32 sheridan pluto[31069]: initiate on demand from 172.21.3.53:0
to 172.19.3.179:0 proto=0 state: fos_start because: acquire
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: initiating Main Mode
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: ignoring unknown Vendor ID
payload [424e455300000005]
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: received Vendor ID payload
[Dead Peer Detection]
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: STATE_MAIN_I2: sent MI2,
expecting MR2
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: I did not send a
certificate because I do not have one.
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: STATE_MAIN_I3: sent MI3,
expecting MR3
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #444: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #445: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS {using isakmp#444}
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #445: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 14 10:40:32 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #445: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0001fb9a <0xc7c32e61 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: initiating Main Mode to
replace #444
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: ignoring unknown Vendor ID
payload [424e455300000005]
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: received Vendor ID payload
[Dead Peer Detection]
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: STATE_MAIN_I2: sent MI2,
expecting MR2
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: I did not send a
certificate because I do not have one.
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: STATE_MAIN_I3: sent MI3,
expecting MR3
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 14 11:28:08 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Dec 14 11:40:32 sheridan pluto[31069]: packet from 199.212.129.226:500:
Informational Exchange is for an unknown (expired?) SA
Dec 14 11:40:33 sheridan pluto[31069]: packet from 199.212.129.226:500:
Informational Exchange is for an unknown (expired?) SA
Dec 14 11:43:23 sheridan pluto[31069]:
"sunoco-172-16-19-net-to-london-office-net" #449: received Delete SA
payload: deleting ISAKMP State #449
Dec 14 11:43:23 sheridan pluto[31069]: packet from 199.212.129.226:500:
received and ignored informational message
End: /var/log/secure


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited

More information about the Users mailing list