[Openswan Users] Problems on dialup vpn

Paul Wouters paul at xelerance.com
Tue May 17 12:24:59 CEST 2005 

On Mon, 16 May 2005, John McMonagle wrote:

> There is 2.3.0-2 in debian unstable will that be good enough?

I do not know what patches that includes. In the next few days, 2.3.2
will be released. It is currently being tested by Xelerance.

Paul

> John
>
> Paul Wouters wrote:
>
>> On Mon, 16 May 2005, John McMonagle wrote:
>> 
>>> Using openswan       2.2.0-4
>> 
>> 
>> You are running into racing IPsec SA's, so you're continiously rekeying,
>> while during some of the time, your connection is up. This is a known issue
>> with 2.2.x.
>> 
>> Please upgrade to 2.3.1
>> 
>> Paul
>> 
>>> On dial up side using diald set to keep up the connection if possible.
>>> Scripts bring up ipsec after connecting and stop ipsec after connection 
>>> goes down.
>>> 
>>> Checking the logs that seems to work properly
>>> 
>>> Problem is it either doesn't come up or it sort of works with a high load 
>>> particularly on the dial up side.
>>> Dial up sides load is about 3 although it pretty much idle,  pluto is the 
>>> top load.
>>> 
>>> At best ping time is about 200ms can be a few seconds.
>>> 
>>> Some times it works Ok.
>>> Some times I need to do
>>> ipsec auto --down prviewfondy
>>> On both ends and start it on one end.
>>> 
>>> 
>>> On the dsl side am getting message like this on auth.log. Link came up at 
>>> 3:38:
>>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672: starting 
>>> keying attempt 46 of an unlimited number
>>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673: initiating 
>>> Main Mode to replace #147672
>>> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673: ERROR: 
>>> asynchronous network error report on eth1 for message to
>>> 216.127.203.221 port 500, complainant 216.127.203.221: Connection refused 
>>> [errno 111, origin ICMP type 3 code 3 (not authen
>>> ticated)]
>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: responding to 
>>> Main Mode
>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: transition 
>>> from state (null) to state STATE_MAIN_R1
>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: transition 
>>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer ID is 
>>> ID_FQDN: '@prview.advocap.org'
>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did not 
>>> send a certificate because I do not have one.
>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: multiple 
>>> ipsec.secrets entries with distinct secrets match endp
>>> oints: first secret used
>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: transition 
>>> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent MR3, 
>>> ISAKMP SA established
>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676: responding to 
>>> Quick Mode
>>> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676: transition 
>>> from state (null) to state STATE_QUICK_R1
>>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: transition 
>>> from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec SA 
>>> established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
>>> 0770e <0x00003fbf}
>>> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673: transition 
>>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673: discarding 
>>> duplicate packet; already STATE_MAIN_I2
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did not 
>>> send a certificate because I do not have one.
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: multiple 
>>> ipsec.secrets entries with distinct secrets match endp
>>> oints: first secret used
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: transition 
>>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer ID is 
>>> ID_FQDN: '@prview.advocap.org'
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: transition 
>>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: ISAKMP SA 
>>> established
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> ing isakmp#147673}
>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684: initiating 
>>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>> 
>>> Same from dialup side:
>>> May 16 03:39:28 prvroute pluto[25943]: added connection description 
>>> "prviewfondy"
>>> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2: initiating Main 
>>> Mode
>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition from 
>>> state STATE_MAIN_I1 to state STATE_MAIN_I2
>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not send a 
>>> certificate because I do not have one.
>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: transition from 
>>> state STATE_MAIN_I2 to state STATE_MAIN_I3
>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID is 
>>> ID_FQDN: '@fondy.advocap.org'
>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: transition from 
>>> state STATE_MAIN_I3 to state STATE_MAIN_I4
>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA 
>>> established
>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4: initiating Quick 
>>> Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
>>> isakmp#2}
>>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: transition from 
>>> state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2, IPsec 
>>> SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
>>> 
>>>> 0x00003fbf <0x0000770e}
>>> 
>>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: responding to 
>>> Main Mode
>>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7: transition from 
>>> state (null) to state STATE_MAIN_R1
>>> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7: transition from 
>>> state STATE_MAIN_R1 to state STATE_MAIN_R2
>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID is 
>>> ID_FQDN: '@fondy.advocap.org'
>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not send a 
>>> certificate because I do not have one.
>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: transition from 
>>> state STATE_MAIN_R2 to state STATE_MAIN_R3
>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3, ISAKMP 
>>> SA established
>>> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8: responding to 
>>> Quick Mode
>>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9: responding to 
>>> Quick Mode
>>> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10: responding to 
>>> Quick Mode
>>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11: responding to 
>>> Quick Mode
>>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12: responding to 
>>> Quick Mode
>>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13: responding to 
>>> Quick Mode
>>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14: responding to 
>>> Quick Mode
>>> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14: transition from 
>>> state (null) to state STATE_QUICK_R1
>>> .........................................
>>> lot more of the same then
>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max number of 
>>> retransmissions (2) reached STATE_QUICK_R1
>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max number of 
>>> retransmissions (2) reached STATE_QUICK_R1
>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max number of 
>>> retransmissions (2) reached STATE_QUICK_R1
>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82: responding to 
>>> Quick Mode
>>> ..........................................
>>> Get some of  these:
>>> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode I1 
>>> message is unacceptable because it uses a previously
>>> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
>>> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending encrypted 
>>> notification INVALID_MESSAGE_ID to 216.170.136.82
>>> :500
>>> 
>>> 
>>> ipsec.conf  on  dialup end:
>>> conn prviewfondy
>>>       authby=rsasig
>>>        compress=yes
>>>       # Left security gateway, subnet behind it, next hop toward it.
>>>       leftid=@prview.advocap.org
>>>       leftrsasigkey=0sAQN....wJ
>>>       left=%defaultroute
>>>       leftsubnet=192.168.10.0/24
>>>       # Right security gateway, subnet behind it, next hop toward it.
>>>       right=tfondy.advocap.org
>>>       rightid=@fondy.advocap.org
>>>       rightrsasigkey=0x0103............7d
>>>       rightsubnet=192.168.2.0/24
>>>       auto=start
>>> 
>>> ipsec.conf  on  dsl end:
>>> 
>>> conn prviewfondy
>>>       authby=rsasig
>>>        compress=yes
>>>       leftid=@prview.advocap.org
>>>       leftrsasigkey=0sAQNu.........O/wJ
>>>       left=hdstart.dotnet.com
>>>       leftsubnet=192.168.10.0/24
>>>       right=tfondy.advocap.org
>>>       rightid=@fondy.advocap.org
>>>       rightrsasigkey=0x0103a8..........7d
>>>       rightsubnet=192.168.2.0/24
>>> 
>>>      auto=start
>>> 
>>> Have a bunch of vpn links the none dialups that are working fine.
>>> 
>>> My wild guess is that the dsl side is confused by the link going down.
>>> Should I just be staring from one side?
>>> Any suggestions.
>>> 
>>> John
>>> 
>
>

More information about the Users mailing list