[Openswan Users] Problems on dialup vpn
John McMonagle
johnm at advocap.org
Mon May 16 15:38:55 CEST 2005
Have a site with dial up and it keeps having problems restoring it's
vpn connections.
Running debian sarge with 2.6.10 kernel.
Using openswan 2.2.0-4
On dial up side using diald set to keep up the connection if possible.
Scripts bring up ipsec after connecting and stop ipsec after connection
goes down.
Checking the logs that seems to work properly
Problem is it either doesn't come up or it sort of works with a high
load particularly on the dial up side.
Dial up sides load is about 3 although it pretty much idle, pluto is
the top load.
At best ping time is about 200ms can be a few seconds.
Some times it works Ok.
Some times I need to do
ipsec auto --down prviewfondy
On both ends and start it on one end.
On the dsl side am getting message like this on auth.log. Link came up
at 3:38:
May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting
keying attempt 46 of an unlimited number
May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673: initiating
Main Mode to replace #147672
May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR:
asynchronous network error report on eth1 for message to
216.127.203.221 port 500, complainant 216.127.203.221: Connection
refused [errno 111, origin ICMP type 3 code 3 (not authen
ticated)]
May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: responding
to Main Mode
May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: transition
from state (null) to state STATE_MAIN_R1
May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID is
ID_FQDN: '@prview.advocap.org'
May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did not
send a certificate because I do not have one.
May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple
ipsec.secrets entries with distinct secrets match endp
oints: first secret used
May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent MR3,
ISAKMP SA established
May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676: responding
to Quick Mode
May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676: transition
from state (null) to state STATE_QUICK_R1
May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA
established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
0770e <0x00003fbf}
May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673: discarding
duplicate packet; already STATE_MAIN_I2
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did not
send a certificate because I do not have one.
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple
ipsec.secrets entries with distinct secrets match endp
oints: first secret used
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID is
ID_FQDN: '@prview.advocap.org'
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP SA
established
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
ing isakmp#147673}
May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
Same from dialup side:
May 16 03:39:28 prvroute pluto[25943]: added connection description
"prviewfondy"
May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating Main
Mode
May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not send
a certificate because I do not have one.
May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is
ID_FQDN: '@fondy.advocap.org'
May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA
established
May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating
Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
isakmp#2}
May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2, IPsec
SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
>0x00003fbf <0x0000770e}
May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding to
Main Mode
May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition from
state (null) to state STATE_MAIN_R1
May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is
ID_FQDN: '@fondy.advocap.org'
May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not send
a certificate because I do not have one.
May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3,
ISAKMP SA established
May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding to
Quick Mode
May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition from
state (null) to state STATE_QUICK_R1
May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding to
Quick Mode
May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition from
state (null) to state STATE_QUICK_R1
May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding to
Quick Mode
May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition
from state (null) to state STATE_QUICK_R1
May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding to
Quick Mode
May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition
from state (null) to state STATE_QUICK_R1
May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding to
Quick Mode
May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition
from state (null) to state STATE_QUICK_R1
May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding to
Quick Mode
May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition
from state (null) to state STATE_QUICK_R1
May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding to
Quick Mode
May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition
from state (null) to state STATE_QUICK_R1
.........................................
lot more of the same then
May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number of
retransmissions (2) reached STATE_QUICK_R1
May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number of
retransmissions (2) reached STATE_QUICK_R1
May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number of
retransmissions (2) reached STATE_QUICK_R1
May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding to
Quick Mode
..........................................
Get some of these:
ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1
message is unacceptable because it uses a previously
used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending
encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
:500
ipsec.conf on dialup end:
conn prviewfondy
authby=rsasig
compress=yes
# Left security gateway, subnet behind it, next hop toward it.
leftid=@prview.advocap.org
leftrsasigkey=0sAQN....wJ
left=%defaultroute
leftsubnet=192.168.10.0/24
# Right security gateway, subnet behind it, next hop toward it.
right=tfondy.advocap.org
rightid=@fondy.advocap.org
rightrsasigkey=0x0103............7d
rightsubnet=192.168.2.0/24
auto=start
ipsec.conf on dsl end:
conn prviewfondy
authby=rsasig
compress=yes
leftid=@prview.advocap.org
leftrsasigkey=0sAQNu.........O/wJ
left=hdstart.dotnet.com
leftsubnet=192.168.10.0/24
right=tfondy.advocap.org
rightid=@fondy.advocap.org
rightrsasigkey=0x0103a8..........7d
rightsubnet=192.168.2.0/24
auto=start
Have a bunch of vpn links the none dialups that are working fine.
My wild guess is that the dsl side is confused by the link going down.
Should I just be staring from one side?
Any suggestions.
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: johnm.vcf
Type: text/x-vcard
Size: 250 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050516/3a37d877/johnm.vcf
More information about the Users
mailing list