[Openswan Users] Help

Olivier.PASCAL at diplomatie.gouv.fr Olivier.PASCAL at diplomatie.gouv.fr
Tue May 17 11:41:41 CEST 2005


hello,

Can you unsubcribe me to the openswan mailing list diffusion :
- users-request at openswan.org
- dev-request at openswan.org

thanks a lot



"users-request"@openswan.org a écrit :

> Send Users mailing list submissions to
>         users at openswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://lists.openswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>         users-request at openswan.org
>
> You can reach the person managing the list at
>         users-owner at openswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
> Today's Topics:
>
>    1. Re: Problems on dialup vpn (John McMonagle)
>    2. Re: Problems on dialup vpn (Norman Rasmussen)
>    3. RE: FW: VPN works, but you can't eBay ;-) (Miguel Dilaj)
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 16 May 2005 16:46:30 -0500
> From: John McMonagle <johnm at advocap.org>
> Subject: Re: [Openswan Users] Problems on dialup vpn
> To: Paul Wouters <paul at xelerance.com>
> Cc: users at openswan.org
> Message-ID: <428914B6.7040407 at advocap.org>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Thanks Paul
>
> There is 2.3.0-2 in debian unstable will that be good enough?
>
> John
>
> Paul Wouters wrote:
>
> > On Mon, 16 May 2005, John McMonagle wrote:
> >
> >> Using openswan       2.2.0-4
> >
> >
> > You are running into racing IPsec SA's, so you're continiously rekeying,
> > while during some of the time, your connection is up. This is a known
> > issue
> > with 2.2.x.
> >
> > Please upgrade to 2.3.1
> >
> > Paul
> >
> >> On dial up side using diald set to keep up the connection if possible.
> >> Scripts bring up ipsec after connecting and stop ipsec after
> >> connection goes down.
> >>
> >> Checking the logs that seems to work properly
> >>
> >> Problem is it either doesn't come up or it sort of works with a high
> >> load particularly on the dial up side.
> >> Dial up sides load is about 3 although it pretty much idle,  pluto is
> >> the top load.
> >>
> >> At best ping time is about 200ms can be a few seconds.
> >>
> >> Some times it works Ok.
> >> Some times I need to do
> >> ipsec auto --down prviewfondy
> >> On both ends and start it on one end.
> >>
> >>
> >> On the dsl side am getting message like this on auth.log. Link came
> >> up at 3:38:
> >> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting
> >> keying attempt 46 of an unlimited number
> >> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673:
> >> initiating Main Mode to replace #147672
> >> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR:
> >> asynchronous network error report on eth1 for message to
> >> 216.127.203.221 port 500, complainant 216.127.203.221: Connection
> >> refused [errno 111, origin ICMP type 3 code 3 (not authen
> >> ticated)]
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> >> responding to Main Mode
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> >> transition from state (null) to state STATE_MAIN_R1
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> >> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID
> >> is ID_FQDN: '@prview.advocap.org'
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did
> >> not send a certificate because I do not have one.
> >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple
> >> ipsec.secrets entries with distinct secrets match endp
> >> oints: first secret used
> >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675:
> >> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent
> >> MR3, ISAKMP SA established
> >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676:
> >> responding to Quick Mode
> >> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676:
> >> transition from state (null) to state STATE_QUICK_R1
> >> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676:
> >> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> >> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA
> >> established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
> >> 0770e <0x00003fbf}
> >> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673:
> >> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> >> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673:
> >> discarding duplicate packet; already STATE_MAIN_I2
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did
> >> not send a certificate because I do not have one.
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple
> >> ipsec.secrets entries with distinct secrets match endp
> >> oints: first secret used
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
> >> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID
> >> is ID_FQDN: '@prview.advocap.org'
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
> >> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP
> >> SA established
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >> ing isakmp#147673}
> >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684:
> >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> >>
> >> Same from dialup side:
> >> May 16 03:39:28 prvroute pluto[25943]: added connection description
> >> "prviewfondy"
> >> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating
> >> Main Mode
> >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition
> >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not
> >> send a certificate because I do not have one.
> >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition
> >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is
> >> ID_FQDN: '@fondy.advocap.org'
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition
> >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA
> >> established
> >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating
> >> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
> >> isakmp#2}
> >> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition
> >> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> >> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2,
> >> IPsec SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
> >>
> >>> 0x00003fbf <0x0000770e}
> >>
> >> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding
> >> to Main Mode
> >> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition
> >> from state (null) to state STATE_MAIN_R1
> >> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition
> >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is
> >> ID_FQDN: '@fondy.advocap.org'
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not
> >> send a certificate because I do not have one.
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition
> >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3,
> >> ISAKMP SA established
> >> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding
> >> to Quick Mode
> >> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding
> >> to Quick Mode
> >> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding
> >> to Quick Mode
> >> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding
> >> to Quick Mode
> >> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding
> >> to Quick Mode
> >> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding
> >> to Quick Mode
> >> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition
> >> from state (null) to state STATE_QUICK_R1
> >> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding
> >> to Quick Mode
> >> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition
> >> from state (null) to state STATE_QUICK_R1
> >> .........................................
> >> lot more of the same then
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number
> >> of retransmissions (2) reached STATE_QUICK_R1
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number
> >> of retransmissions (2) reached STATE_QUICK_R1
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number
> >> of retransmissions (2) reached STATE_QUICK_R1
> >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding
> >> to Quick Mode
> >> ..........................................
> >> Get some of  these:
> >> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1
> >> message is unacceptable because it uses a previously
> >> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
> >> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending
> >> encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
> >> :500
> >>
> >>
> >> ipsec.conf  on  dialup end:
> >> conn prviewfondy
> >>       authby=rsasig
> >>        compress=yes
> >>       # Left security gateway, subnet behind it, next hop toward it.
> >>       leftid=@prview.advocap.org
> >>       leftrsasigkey=0sAQN....wJ
> >>       left=%defaultroute
> >>       leftsubnet=192.168.10.0/24
> >>       # Right security gateway, subnet behind it, next hop toward it.
> >>       right=tfondy.advocap.org
> >>       rightid=@fondy.advocap.org
> >>       rightrsasigkey=0x0103............7d
> >>       rightsubnet=192.168.2.0/24
> >>       auto=start
> >>
> >> ipsec.conf  on  dsl end:
> >>
> >> conn prviewfondy
> >>       authby=rsasig
> >>        compress=yes
> >>       leftid=@prview.advocap.org
> >>       leftrsasigkey=0sAQNu.........O/wJ
> >>       left=hdstart.dotnet.com
> >>       leftsubnet=192.168.10.0/24
> >>       right=tfondy.advocap.org
> >>       rightid=@fondy.advocap.org
> >>       rightrsasigkey=0x0103a8..........7d
> >>       rightsubnet=192.168.2.0/24
> >>
> >>      auto=start
> >>
> >> Have a bunch of vpn links the none dialups that are working fine.
> >>
> >> My wild guess is that the dsl side is confused by the link going down.
> >> Should I just be staring from one side?
> >> Any suggestions.
> >>
> >> John
> >>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: johnm.vcf
> Type: text/x-vcard
> Size: 250 bytes
> Desc: not available
> Url : http://lists.openswan.org/pipermail/users/attachments/20050516/605221af/johnm-0001.vcf
>
> ------------------------------
>
> Message: 2
> Date: Mon, 16 May 2005 23:52:37 +0200
> From: Norman Rasmussen <normanr at gmail.com>
> Subject: Re: [Openswan Users] Problems on dialup vpn
> To: John McMonagle <johnm at advocap.org>
> Cc: users at openswan.org
> Message-ID: <5b698f5a05051614523b11097 at mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> I'm using 2.3.0-2 in debian, the only problem I have is rekeying with
> NAT doesn't work.  But if you don't need that then it's okay.
>
> On 16/05/05, John McMonagle <johnm at advocap.org> wrote:
> > Thanks Paul
> >
> > There is 2.3.0-2 in debian unstable will that be good enough?
> >
> > John
> >
> > Paul Wouters wrote:
> >
> > > On Mon, 16 May 2005, John McMonagle wrote:
> > >
> > >> Using openswan       2.2.0-4
> > >
> > >
> > > You are running into racing IPsec SA's, so you're continiously rekeying,
> > > while during some of the time, your connection is up. This is a known
> > > issue
> > > with 2.2.x.
> > >
> > > Please upgrade to 2.3.1
> > >
> > > Paul
> > >
> > >> On dial up side using diald set to keep up the connection if possible.
> > >> Scripts bring up ipsec after connecting and stop ipsec after
> > >> connection goes down.
> > >>
> > >> Checking the logs that seems to work properly
> > >>
> > >> Problem is it either doesn't come up or it sort of works with a high
> > >> load particularly on the dial up side.
> > >> Dial up sides load is about 3 although it pretty much idle,  pluto is
> > >> the top load.
> > >>
> > >> At best ping time is about 200ms can be a few seconds.
> > >>
> > >> Some times it works Ok.
> > >> Some times I need to do
> > >> ipsec auto --down prviewfondy
> > >> On both ends and start it on one end.
> > >>
> > >>
> > >> On the dsl side am getting message like this on auth.log. Link came
> > >> up at 3:38:
> > >> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting
> > >> keying attempt 46 of an unlimited number
> > >> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673:
> > >> initiating Main Mode to replace #147672
> > >> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR:
> > >> asynchronous network error report on eth1 for message to
> > >> 216.127.203.221 port 500, complainant 216.127.203.221: Connection
> > >> refused [errno 111, origin ICMP type 3 code 3 (not authen
> > >> ticated)]
> > >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> > >> responding to Main Mode
> > >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> > >> transition from state (null) to state STATE_MAIN_R1
> > >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
> > >> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID
> > >> is ID_FQDN: '@prview.advocap.org'
> > >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did
> > >> not send a certificate because I do not have one.
> > >> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple
> > >> ipsec.secrets entries with distinct secrets match endp
> > >> oints: first secret used

> > >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675:
> > >> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent
> > >> MR3, ISAKMP SA established
> > >> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676:
> > >> responding to Quick Mode
> > >> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676:
> > >> transition from state (null) to state STATE_QUICK_R1
> > >> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676:
> > >> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> > >> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA
> > >> established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
> > >> 0770e <0x00003fbf}
> > >> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673:
> > >> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > >> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673:
> > >> discarding duplicate packet; already STATE_MAIN_I2
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did
> > >> not send a certificate because I do not have one.
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple
> > >> ipsec.secrets entries with distinct secrets match endp
> > >> oints: first secret used
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
> > >> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID
> > >> is ID_FQDN: '@prview.advocap.org'
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
> > >> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP
> > >> SA established
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >> ing isakmp#147673}
> > >> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684:
> > >> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
> > >>
> > >> Same from dialup side:
> > >> May 16 03:39:28 prvroute pluto[25943]: added connection description
> > >> "prviewfondy"
> > >> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating
> > >> Main Mode
> > >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition
> > >> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> > >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not
> > >> send a certificate because I do not have one.
> > >> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition
> > >> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> > >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is
> > >> ID_FQDN: '@fondy.advocap.org'
> > >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition
> > >> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> > >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA
> > >> established
> > >> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating
> > >> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
> > >> isakmp#2}
> > >> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition
> > >> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> > >> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2,
> > >> IPsec SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
> > >>
> > >>> 0x00003fbf <0x0000770e}
> > >>
> > >> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding
> > >> to Main Mode
> > >> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition
> > >> from state (null) to state STATE_MAIN_R1
> > >> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition
> > >> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> > >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is
> > >> ID_FQDN: '@fondy.advocap.org'
> > >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not
> > >> send a certificate because I do not have one.
> > >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition
> > >> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> > >> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3,
> > >> ISAKMP SA established
> > >> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding
> > >> to Quick Mode
> > >> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding
> > >> to Quick Mode
> > >> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding
> > >> to Quick Mode
> > >> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding
> > >> to Quick Mode
> > >> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding
> > >> to Quick Mode
> > >> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding
> > >> to Quick Mode
> > >> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding
> > >> to Quick Mode
> > >> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition
> > >> from state (null) to state STATE_QUICK_R1
> > >> .........................................
> > >> lot more of the same then
> > >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number
> > >> of retransmissions (2) reached STATE_QUICK_R1
> > >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number
> > >> of retransmissions (2) reached STATE_QUICK_R1
> > >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number
> > >> of retransmissions (2) reached STATE_QUICK_R1
> > >> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding
> > >> to Quick Mode
> > >> ..........................................
> > >> Get some of  these:
> > >> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1
> > >> message is unacceptable because it uses a previously
> > >> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
> > >> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending
> > >> encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
> > >> :500
> > >>
> > >>
> > >> ipsec.conf  on  dialup end:
> > >> conn prviewfondy
> > >>       authby=rsasig
> > >>        compress=yes
> > >>       # Left security gateway, subnet behind it, next hop toward it.
> > >>       leftid=@prview.advocap.org
> > >>       leftrsasigkey=0sAQN....wJ
> > >>       left=%defaultroute
> > >>       leftsubnet=192.168.10.0/24
> > >>       # Right security gateway, subnet behind it, next hop toward it.
> > >>       right=tfondy.advocap.org
> > >>       rightid=@fondy.advocap.org
> > >>       rightrsasigkey=0x0103............7d
> > >>       rightsubnet=192.168.2.0/24
> > >>       auto=start
> > >>
> > >> ipsec.conf  on  dsl end:
> > >>
> > >> conn prviewfondy
> > >>       authby=rsasig
> > >>        compress=yes
> > >>       leftid=@prview.advocap.org
> > >>       leftrsasigkey=0sAQNu.........O/wJ
> > >>       left=hdstart.dotnet.com
> > >>       leftsubnet=192.168.10.0/24
> > >>       right=tfondy.advocap.org
> > >>       rightid=@fondy.advocap.org
> > >>       rightrsasigkey=0x0103a8..........7d
> > >>       rightsubnet=192.168.2.0/24
> > >>
> > >>      auto=start
> > >>
> > >> Have a bunch of vpn links the none dialups that are working fine.
> > >>
> > >> My wild guess is that the dsl side is confused by the link going down.
> > >> Should I just be staring from one side?
> > >> Any suggestions.
> > >>
> > >> John
> > >>
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> >
> >
> >
>
> --
> - Norman Rasmussen
>  - Email: norman at rasmussen.org
>  - Home page: http://norman.rasmussen.org/
>
> ------------------------------
>
> Message: 3
> Date: Tue, 17 May 2005 09:11:25 +0100
> From: "Miguel Dilaj" <mdilaj at nccglobal.com>
> Subject: RE: [Openswan Users] FW: VPN works, but you can't eBay ;-)
> To: <users at openswan.org>
> Message-ID: <002601c55ab8$0541fc60$73399ed4 at ncc1166>
> Content-Type: text/plain;       charset="us-ascii"
>
> Hi Paul,
>
> NAT is enabled, but not used at the moment. Do you think there can be a link
> to the problem??
> I can disable NAT now, but I'll need to enable it later (now it's just a
> pilot test, and I don't really need it).
> Regards,
>
> Miguel
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: 16 May 2005 18:02
> To: Miguel Dilaj
> Cc: users at openswan.org
> Subject: RE: [Openswan Users] FW: VPN works, but you can't eBay ;-)
>
> On Mon, 16 May 2005, Miguel Dilaj wrote:
>
> > Thanks for your answer.
> > 2 roadwarriors with MTU 1300, one can browse eBay, the other can't, so
> > I don't think this is the root of the problem (it used to be in the
> > very beginning, when everyone was using 1500, and we were not able to
> > browse "big" sites, only google and a few other simple ones).
>
> For me the websites I use to test which fail on mtu issues are Hotmail, MSN
> and the Jabber logon sites.
>
> Also check if it is not only some people behind NAT that have this problem.
>
> Paul
>
> ***********************************************************************************************************
> DISCLAIMER:
> This e-mail contains proprietary information, some or all of which may be legally privileged.
> It is for the intended recipient only. If an addressing or transmission error has misdirected this e-mail,
> please notify the author by replying to this e-mail. If you are not the intended recipient you may not use,
> disclose, distribute, copy, print or rely on this e-mail.
> ***********************************************************************************************************
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
> End of Users Digest, Vol 18, Issue 43
> *************************************



More information about the Users mailing list