[Openswan Users] Problems on dialup vpn

Paul Wouters paul at xelerance.com
Tue May 17 00:10:03 CEST 2005 

On Mon, 16 May 2005, John McMonagle wrote:

> Using openswan       2.2.0-4

You are running into racing IPsec SA's, so you're continiously rekeying,
while during some of the time, your connection is up. This is a known issue
with 2.2.x.

Please upgrade to 2.3.1

Paul

> On dial up side using diald set to keep up the connection if possible.
> Scripts bring up ipsec after connecting and stop ipsec after connection goes 
> down.
>
> Checking the logs that seems to work properly
>
> Problem is it either doesn't come up or it sort of works with a high load 
> particularly on the dial up side.
> Dial up sides load is about 3 although it pretty much idle,  pluto is the top 
> load.
>
> At best ping time is about 200ms can be a few seconds.
>
> Some times it works Ok.
> Some times I need to do
> ipsec auto --down prviewfondy
> On both ends and start it on one end.
>
>
> On the dsl side am getting message like this on auth.log. Link came up at 
> 3:38:
> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting keying 
> attempt 46 of an unlimited number
> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673: initiating Main 
> Mode to replace #147672
> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR: 
> asynchronous network error report on eth1 for message to
> 216.127.203.221 port 500, complainant 216.127.203.221: Connection refused 
> [errno 111, origin ICMP type 3 code 3 (not authen
> ticated)]
> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: responding to 
> Main Mode
> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: transition from 
> state (null) to state STATE_MAIN_R1
> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: transition from 
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID is 
> ID_FQDN: '@prview.advocap.org'
> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did not send a 
> certificate because I do not have one.
> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple 
> ipsec.secrets entries with distinct secrets match endp
> oints: first secret used
> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: transition from 
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent MR3, ISAKMP 
> SA established
> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676: responding to 
> Quick Mode
> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: transition from 
> state STATE_QUICK_R1 to state STATE_QUICK_R2
> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA 
> established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
> 0770e <0x00003fbf}
> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673: transition from 
> state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673: discarding 
> duplicate packet; already STATE_MAIN_I2
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did not send a 
> certificate because I do not have one.
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple 
> ipsec.secrets entries with distinct secrets match endp
> oints: first secret used
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: transition from 
> state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID is 
> ID_FQDN: '@prview.advocap.org'
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: transition from 
> state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP SA 
> established
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> ing isakmp#147673}
> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>
> Same from dialup side:
> May 16 03:39:28 prvroute pluto[25943]: added connection description 
> "prviewfondy"
> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating Main Mode
> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition from 
> state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not send a 
> certificate because I do not have one.
> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition from 
> state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is ID_FQDN: 
> '@fondy.advocap.org'
> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition from 
> state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA 
> established
> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating Quick 
> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
> isakmp#2}
> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition from 
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2, IPsec SA 
> established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
>> 0x00003fbf <0x0000770e}
> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding to Main 
> Mode
> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition from 
> state (null) to state STATE_MAIN_R1
> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition from 
> state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is ID_FQDN: 
> '@fondy.advocap.org'
> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not send a 
> certificate because I do not have one.
> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition from 
> state STATE_MAIN_R2 to state STATE_MAIN_R3
> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3, ISAKMP SA 
> established
> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding to Quick 
> Mode
> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding to Quick 
> Mode
> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding to Quick 
> Mode
> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding to Quick 
> Mode
> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding to Quick 
> Mode
> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding to Quick 
> Mode
> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition from 
> state (null) to state STATE_QUICK_R1
> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding to Quick 
> Mode
> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition from 
> state (null) to state STATE_QUICK_R1
> .........................................
> lot more of the same then
> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number of 
> retransmissions (2) reached STATE_QUICK_R1
> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number of 
> retransmissions (2) reached STATE_QUICK_R1
> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number of 
> retransmissions (2) reached STATE_QUICK_R1
> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding to Quick 
> Mode
> ..........................................
> Get some of  these:
> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1 message 
> is unacceptable because it uses a previously
> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending encrypted 
> notification INVALID_MESSAGE_ID to 216.170.136.82
> :500
>
>
> ipsec.conf  on  dialup end:
> conn prviewfondy
>       authby=rsasig
>        compress=yes
>       # Left security gateway, subnet behind it, next hop toward it.
>       leftid=@prview.advocap.org
>       leftrsasigkey=0sAQN....wJ
>       left=%defaultroute
>       leftsubnet=192.168.10.0/24
>       # Right security gateway, subnet behind it, next hop toward it.
>       right=tfondy.advocap.org
>       rightid=@fondy.advocap.org
>       rightrsasigkey=0x0103............7d
>       rightsubnet=192.168.2.0/24
>       auto=start
>
> ipsec.conf  on  dsl end:
>
> conn prviewfondy
>       authby=rsasig
>        compress=yes
>       leftid=@prview.advocap.org
>       leftrsasigkey=0sAQNu.........O/wJ
>       left=hdstart.dotnet.com
>       leftsubnet=192.168.10.0/24
>       right=tfondy.advocap.org
>       rightid=@fondy.advocap.org
>       rightrsasigkey=0x0103a8..........7d
>       rightsubnet=192.168.2.0/24
>
>      auto=start
> 
> Have a bunch of vpn links the none dialups that are working fine.
>
> My wild guess is that the dsl side is confused by the link going down.
> Should I just be staring from one side?
> Any suggestions.
>
> John
>

More information about the Users mailing list