[Openswan Users] Problems on dialup vpn

Norman Rasmussen normanr at gmail.com
Tue May 17 00:52:37 CEST 2005 

I'm using 2.3.0-2 in debian, the only problem I have is rekeying with
NAT doesn't work.  But if you don't need that then it's okay.

On 16/05/05, John McMonagle <johnm at advocap.org> wrote:
> Thanks Paul
> 
> There is 2.3.0-2 in debian unstable will that be good enough?
> 
> John
> 
> Paul Wouters wrote:
> 
> > On Mon, 16 May 2005, John McMonagle wrote:
> >
> >> Using openswan       2.2.0-4
> >
> >
> > You are running into racing IPsec SA's, so you're continiously rekeying,
> > while during some of the time, your connection is up. This is a known
> > issue
> > with 2.2.x.
> >
> > Please upgrade to 2.3.1
> >
> > Paul
> >
> >> On dial up side using diald set to keep up the connection if possible.
> >> Scripts bring up ipsec after connecting and stop ipsec after
> >> connection goes down.
> >>
> >> Checking the logs that seems to work properly
> >>
> >> Problem is it either doesn't come up or it sort of works with a high
> >> load particularly on the dial up side.
> >> Dial up sides load is about 3 although it pretty much idle,  pluto is
> >> the top load.
> >>
> >> At best ping time is about 200ms can be a few seconds.
> >>
> >> Some times it works Ok.
> >> Some times I need to do
> >> ipsec auto --down prviewfondy
> >> On both ends and start it on one end.
> >>
> >>
> >> On the dsl side am getting message like this on auth.log. Link came
> >> up at 3:38:
> >> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting
> >> keying attempt 46 of an unlimited number
> >> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673:
> >> initiating Main Mode to replace #147672
> >> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR:
> >> asynchronous network error report on eth1 for message to
> >> 216.127.203.221 port 500, complainant 216.127.203.221: Connection
> >> refused [errno 111, origin ICMP type 3 code 3 (not authen
> >> ticated)]
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> >> responding to Main Mode
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> >> transition from state (null) to state STATE_MAIN_R1
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> >> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID
> >> is ID_FQDN: '@prview.advocap.org'
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did
> >> not send a certificate because I do not have one.
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple
> >> ipsec.secrets entries with distinct secrets match endp
> >> oints: first secret used
> >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675:
> >> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent
> >> MR3, ISAKMP SA established
> >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676:
> >> responding to Quick Mode
> >> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676:
> >> transition from state (null) to state STATE_QUICK_R1
> >> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676:
> >> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> >> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA
> >> established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
> >> 0770e <0x00003fbf}
> >> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673:
> >> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> >> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673:
> >> discarding duplicate packet; already STATE_MAIN_I2
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did
> >> not send a certificate because I do not have one.
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple
> >> ipsec.secrets entries with distinct secrets match endp
> >> oints: first secret used
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
> >> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID
> >> is ID_FQDN: '@prview.advocap.org'
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
> >> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP
> >> SA established
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >>
> >> Same from dialup side:
> >> May 16 03:39:28 prvroute pluto[25943]: added connection description
> >> "prviewfondy"
> >> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating
> >> Main Mode
> >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition
> >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not
> >> send a certificate because I do not have one.
> >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition
> >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is
> >> ID_FQDN: '@fondy.advocap.org'
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition
> >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA
> >> established
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating
> >> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
> >> isakmp#2}
> >> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition
> >> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> >> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2,
> >> IPsec SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
> >>
> >>> 0x00003fbf <0x0000770e}
> >>
> >> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding
> >> to Main Mode
> >> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition
> >> from state (null) to state STATE_MAIN_R1
> >> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition
> >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is
> >> ID_FQDN: '@fondy.advocap.org'
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not
> >> send a certificate because I do not have one.
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition
> >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3,
> >> ISAKMP SA established
> >> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding
> >> to Quick Mode
> >> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding
> >> to Quick Mode
> >> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding
> >> to Quick Mode
> >> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding
> >> to Quick Mode
> >> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding
> >> to Quick Mode
> >> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding
> >> to Quick Mode
> >> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding
> >> to Quick Mode
> >> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition
> >> from state (null) to state STATE_QUICK_R1
> >> .........................................
> >> lot more of the same then
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number
> >> of retransmissions (2) reached STATE_QUICK_R1
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number
> >> of retransmissions (2) reached STATE_QUICK_R1
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number
> >> of retransmissions (2) reached STATE_QUICK_R1
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding
> >> to Quick Mode
> >> ..........................................
> >> Get some of  these:
> >> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1
> >> message is unacceptable because it uses a previously
> >> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
> >> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending
> >> encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
> >> :500
> >>
> >>
> >> ipsec.conf  on  dialup end:
> >> conn prviewfondy
> >>       authby=rsasig
> >>        compress=yes
> >>       # Left security gateway, subnet behind it, next hop toward it.
> >>       leftid=@prview.advocap.org
> >>       leftrsasigkey=0sAQN....wJ
> >>       left=%defaultroute
> >>       leftsubnet=192.168.10.0/24
> >>       # Right security gateway, subnet behind it, next hop toward it.
> >>       right=tfondy.advocap.org
> >>       rightid=@fondy.advocap.org
> >>       rightrsasigkey=0x0103............7d
> >>       rightsubnet=192.168.2.0/24
> >>       auto=start
> >>
> >> ipsec.conf  on  dsl end:
> >>
> >> conn prviewfondy
> >>       authby=rsasig
> >>        compress=yes
> >>       leftid=@prview.advocap.org
> >>       leftrsasigkey=0sAQNu.........O/wJ
> >>       left=hdstart.dotnet.com
> >>       leftsubnet=192.168.10.0/24
> >>       right=tfondy.advocap.org
> >>       rightid=@fondy.advocap.org
> >>       rightrsasigkey=0x0103a8..........7d
> >>       rightsubnet=192.168.2.0/24
> >>
> >>      auto=start
> >>
> >> Have a bunch of vpn links the none dialups that are working fine.
> >>
> >> My wild guess is that the dsl side is confused by the link going down.
> >> Should I just be staring from one side?
> >> Any suggestions.
> >>
> >> John
> >>
> 
> 
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> 
> 
> 
> 


-- 
- Norman Rasmussen
 - Email: norman at rasmussen.org
 - Home page: http://norman.rasmussen.org/

More information about the Users mailing list