[Openswan Users] VPN between openswan and ISA 2004
Paul Wouters
paul at xelerance.com
Mon Jun 13 02:21:51 CEST 2005
On Sun, 12 Jun 2005, Mitja Sladovic wrote:
> Im setting up VPN between openswan 2.2 and ISA server 2004 on costumer side.
> But what mean this log:
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: sent QI2, IPsec SA established
> {ESP=>0x2deba74e <0xb7a71ead}
That's good.
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: IKE message has the Commit
> Flag set but Pluto doesn't implement this feature; ignoring flag
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: message ignored because it
> contains an unexpected payload type (ISAKMP_NEXT_HASH)
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: sending encrypted notification
> INVALID_PAYLOAD_TYPE to 193.189.186.250:500
>
> What is IKE Commit flag?
This flag means "I'm done, you can install the IPsec SA now". However, openswan
does not support this flag because:
a) it isn't clear which messages should have it set.
b) it isn't protected by the encryption/authentication of IKE
c) the message with the bit set can get lost, so you have to transmit anyway.
This packet is therefor just logged and ignored.
> The problem is, that tunnel works for some time.. but then stops and I need
> to restart connection.
Are there any logs when the tunnel dies? Is there another round of IKE
happening? Can you show the logs? If openswan didnt log anything, what
does the other end log?
Paul
More information about the Users
mailing list