[Openswan Users] Problems on dialup vpn

John McMonagle johnm at advocap.org
Mon May 16 17:46:30 CEST 2005 

Thanks Paul

There is 2.3.0-2 in debian unstable will that be good enough?

John

Paul Wouters wrote:

> On Mon, 16 May 2005, John McMonagle wrote:
>
>> Using openswan       2.2.0-4
>
>
> You are running into racing IPsec SA's, so you're continiously rekeying,
> while during some of the time, your connection is up. This is a known 
> issue
> with 2.2.x.
>
> Please upgrade to 2.3.1
>
> Paul
>
>> On dial up side using diald set to keep up the connection if possible.
>> Scripts bring up ipsec after connecting and stop ipsec after 
>> connection goes down.
>>
>> Checking the logs that seems to work properly
>>
>> Problem is it either doesn't come up or it sort of works with a high 
>> load particularly on the dial up side.
>> Dial up sides load is about 3 although it pretty much idle,  pluto is 
>> the top load.
>>
>> At best ping time is about 200ms can be a few seconds.
>>
>> Some times it works Ok.
>> Some times I need to do
>> ipsec auto --down prviewfondy
>> On both ends and start it on one end.
>>
>>
>> On the dsl side am getting message like this on auth.log. Link came 
>> up at 3:38:
>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting 
>> keying attempt 46 of an unlimited number
>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673: 
>> initiating Main Mode to replace #147672
>> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR: 
>> asynchronous network error report on eth1 for message to
>> 216.127.203.221 port 500, complainant 216.127.203.221: Connection 
>> refused [errno 111, origin ICMP type 3 code 3 (not authen
>> ticated)]
>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: 
>> responding to Main Mode
>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: 
>> transition from state (null) to state STATE_MAIN_R1
>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: 
>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID 
>> is ID_FQDN: '@prview.advocap.org'
>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did 
>> not send a certificate because I do not have one.
>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple 
>> ipsec.secrets entries with distinct secrets match endp
>> oints: first secret used
>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: 
>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent 
>> MR3, ISAKMP SA established
>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676: 
>> responding to Quick Mode
>> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676: 
>> transition from state (null) to state STATE_QUICK_R1
>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: 
>> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA 
>> established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
>> 0770e <0x00003fbf}
>> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673: 
>> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673: 
>> discarding duplicate packet; already STATE_MAIN_I2
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did 
>> not send a certificate because I do not have one.
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple 
>> ipsec.secrets entries with distinct secrets match endp
>> oints: first secret used
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: 
>> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID 
>> is ID_FQDN: '@prview.advocap.org'
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: 
>> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP 
>> SA established
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>> ing isakmp#147673}
>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684: 
>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>
>> Same from dialup side:
>> May 16 03:39:28 prvroute pluto[25943]: added connection description 
>> "prviewfondy"
>> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating 
>> Main Mode
>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition 
>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not 
>> send a certificate because I do not have one.
>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition 
>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is 
>> ID_FQDN: '@fondy.advocap.org'
>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition 
>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA 
>> established
>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating 
>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
>> isakmp#2}
>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition 
>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2, 
>> IPsec SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
>>
>>> 0x00003fbf <0x0000770e}
>>
>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding 
>> to Main Mode
>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition 
>> from state (null) to state STATE_MAIN_R1
>> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition 
>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is 
>> ID_FQDN: '@fondy.advocap.org'
>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not 
>> send a certificate because I do not have one.
>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition 
>> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3, 
>> ISAKMP SA established
>> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding 
>> to Quick Mode
>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition 
>> from state (null) to state STATE_QUICK_R1
>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding 
>> to Quick Mode
>> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition 
>> from state (null) to state STATE_QUICK_R1
>> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding 
>> to Quick Mode
>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition 
>> from state (null) to state STATE_QUICK_R1
>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding 
>> to Quick Mode
>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition 
>> from state (null) to state STATE_QUICK_R1
>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding 
>> to Quick Mode
>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition 
>> from state (null) to state STATE_QUICK_R1
>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding 
>> to Quick Mode
>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition 
>> from state (null) to state STATE_QUICK_R1
>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding 
>> to Quick Mode
>> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition 
>> from state (null) to state STATE_QUICK_R1
>> .........................................
>> lot more of the same then
>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number 
>> of retransmissions (2) reached STATE_QUICK_R1
>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number 
>> of retransmissions (2) reached STATE_QUICK_R1
>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number 
>> of retransmissions (2) reached STATE_QUICK_R1
>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding 
>> to Quick Mode
>> ..........................................
>> Get some of  these:
>> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1 
>> message is unacceptable because it uses a previously
>> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
>> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending 
>> encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
>> :500
>>
>>
>> ipsec.conf  on  dialup end:
>> conn prviewfondy
>>       authby=rsasig
>>        compress=yes
>>       # Left security gateway, subnet behind it, next hop toward it.
>>       leftid=@prview.advocap.org
>>       leftrsasigkey=0sAQN....wJ
>>       left=%defaultroute
>>       leftsubnet=192.168.10.0/24
>>       # Right security gateway, subnet behind it, next hop toward it.
>>       right=tfondy.advocap.org
>>       rightid=@fondy.advocap.org
>>       rightrsasigkey=0x0103............7d
>>       rightsubnet=192.168.2.0/24
>>       auto=start
>>
>> ipsec.conf  on  dsl end:
>>
>> conn prviewfondy
>>       authby=rsasig
>>        compress=yes
>>       leftid=@prview.advocap.org
>>       leftrsasigkey=0sAQNu.........O/wJ
>>       left=hdstart.dotnet.com
>>       leftsubnet=192.168.10.0/24
>>       right=tfondy.advocap.org
>>       rightid=@fondy.advocap.org
>>       rightrsasigkey=0x0103a8..........7d
>>       rightsubnet=192.168.2.0/24
>>
>>      auto=start
>>
>> Have a bunch of vpn links the none dialups that are working fine.
>>
>> My wild guess is that the dsl side is confused by the link going down.
>> Should I just be staring from one side?
>> Any suggestions.
>>
>> John
>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: johnm.vcf
Type: text/x-vcard
Size: 250 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20050516/605221af/johnm.vcf

More information about the Users mailing list