[Openswan Users] VPN between openswan and ISA 2004

Paul Wouters paul at xelerance.com
Mon Jun 13 02:21:51 CEST 2005

On Sun, 12 Jun 2005, Mitja Sladovic wrote:

> Im setting up VPN between openswan 2.2 and ISA server 2004 on costumer side.
> But what mean this log:
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: sent QI2, IPsec SA established 
> {ESP=>0x2deba74e <0xb7a71ead}

That's good.

> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: IKE message has the Commit 
> Flag set but Pluto doesn't implement this feature; ignoring flag
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: message ignored because it 
> contains an unexpected payload type (ISAKMP_NEXT_HASH)
> Jun 12 22:30:37 gate1 pluto[31315]: "e1" #569: sending encrypted notification 
> What is IKE Commit flag?

This flag means "I'm done, you can install the IPsec SA now". However, openswan
does not support this flag because:

a) it isn't clear which messages should have it set.
b) it isn't protected by the encryption/authentication of IKE
c) the message with the bit set can get lost, so you have to transmit anyway.

This packet is therefor just logged and ignored.

> The problem is, that tunnel works for some time.. but then stops and I need 
> to restart connection.

Are there any logs when the tunnel dies? Is there another round of IKE
happening? Can you show the logs? If openswan didnt log anything, what
does the other end log?


More information about the Users mailing list