[Openswan Users] Problems on dialup vpn
John McMonagle
johnm at advocap.org
Tue May 17 12:19:34 CEST 2005
It dialed up again.
This time I can not get the vpn connection to work no matter what I do :(
On the dial up side there is one other connection and it comes up right
away.
On the dsl end there are 4 other connections that are working.
bring up on dsl side does:
ipsec auto --up prviewfondy
117 "prviewfondy" #1555: STATE_QUICK_I1: initiate
010 "prviewfondy" #1555: STATE_QUICK_I1: retransmission; will wait 20s
for response
010 "prviewfondy" #1555: STATE_QUICK_I1: retransmission; will wait 40s
for response
031 "prviewfondy" #1555: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "prviewfondy" #1555: starting keying attempt 2 of an unlimited
number, but releasing whack
prvroute:/var/log# ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.10.254
000 interface ppp0/ppp0 216.127.203.221
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "prviewfondy":
216.127.203.221[@prview.advocap.org]...216.170.136.82[@fondy.advocap.org]===192.168.2.0/24;
prospective erouted; eroute owner: #0
000 "prviewfondy": srcip=unset; dstip=unset
000 "prviewfondy": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "prviewfondy": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
prio: 32,24; interface: ppp0;
000 "prviewfondy": newest ISAKMP SA: #2; newest IPsec SA: #0;
000 "prviewfondy": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "prviewoshkosh":
192.168.10.0/24===216.127.203.221[@prview.advocap.org]...216.170.138.63[@oshkosh.advocap.org]===192.168.1.0/24;
erouted; eroute owner:#6
000 "prviewoshkosh": srcip=unset; dstip=unset
000 "prviewoshkosh": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "prviewoshkosh": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
prio: 24,24; interface: ppp0;
000 "prviewoshkosh": newest ISAKMP SA: #5; newest IPsec SA: #6;
000 "prviewoshkosh": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #24: "prviewfondy" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 12s; lastdpd=-1s(seq in:0 out:0)
000 #23: "prviewfondy" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 26s; lastdpd=-1s(seq in:0 out:0)
000 #2: "prviewfondy" STATE_MAIN_I4 (ISAKMP SA established); none in
-1s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #3: "prviewoshkosh" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26655s
000 #3: "prviewoshkosh" esp.bea360ff at 216.170.138.63
esp.d70e5c21 at 216.127.203.221 comp.7df5 at 216.170.138.63
comp.7229 at 216.127.203.221 tun.0 at 216.170.138.63 tun.0 at 216.127.203.221
000 #1: "prviewoshkosh" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1875s; lastdpd=-1s(seq in:0 out:0)
000 #6: "prviewoshkosh" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 27472s; newest IPSEC; eroute owner
000 #6: "prviewoshkosh" esp.6d054422 at 216.170.138.63
esp.44c6dffb at 216.127.203.221 comp.66ff at 216.170.138.63
comp.167d at 216.127.203.221 tun.0 at 216.170.138.63 tun.0 at 216.127.203.221
000 #5: "prviewoshkosh" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2268s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000
Bring up on dialup side:
prvroute:/var/log# ipsec auto --up prviewfondy
117 "prviewfondy" #19: STATE_QUICK_I1: initiate
010 "prviewfondy" #19: STATE_QUICK_I1: retransmission; will wait 20s for
response
010 "prviewfondy" #19: STATE_QUICK_I1: retransmission; will wait 40s for
response
031 "prviewfondy" #19: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode message:
perhaps peer likes no proposal
000 "prviewfondy" #19: starting keying attempt 2 of an unlimited number,
but releasing whack
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.2.254
000 interface eth0:1/eth0:1 192.168.2.201
000 interface eth1/eth1 216.170.136.82
000 interface eth2/eth2 24.196.120.30
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "berfon":
192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...68.191.189.34[@berlin.advocap.org]===192.168.4.0/24;
erouted; eroute owner: #325
000 "berfon": srcip=unset; dstip=unset
000 "berfon": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "berfon": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;
000 "berfon": newest ISAKMP SA: #1560; newest IPsec SA: #325;
000 "berfon": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "fonnee":
192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...216.170.169.70[@neenah.advocap.org]===192.168.3.0/24;
erouted; eroute owner: #314
000 "fonnee": srcip=unset; dstip=unset
000 "fonnee": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "fonnee": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;
000 "fonnee": newest ISAKMP SA: #1535; newest IPsec SA: #314;
000 "fonnee": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "johnmfondy":
192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...24.164.227.25[@jm.advocap.org]===192.168.101.0/24;
erouted; eroute owner: #319
000 "johnmfondy": srcip=unset; dstip=unset
000 "johnmfondy": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 1
000 "johnmfondy": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
24,24; interface: eth1;
000 "johnmfondy": newest ISAKMP SA: #1556; newest IPsec SA: #319;
000 "johnmfondy": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "oshfon":
192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...216.170.138.63[@oshkosh.advocap.org]===192.168.1.0/24;
erouted; eroute owner: #317
000 "oshfon": srcip=unset; dstip=unset
000 "oshfon": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "oshfon": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
24,24; interface: eth1;
000 "oshfon": newest ISAKMP SA: #1546; newest IPsec SA: #317;
000 "oshfon": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "prviewfondy":
192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...216.127.203.221[@prview.advocap.org]===192.168.10.0/24;
unrouted; eroute owner: #0
000 "prviewfondy": srcip=unset; dstip=unset
000 "prviewfondy": ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "prviewfondy": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
prio: 24,24; interface: eth1;
000 "prviewfondy": newest ISAKMP SA: #1554; newest IPsec SA: #0;
000 "prviewfondy": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000
000 #1560: "berfon" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2161s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #1445: "berfon" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_EXPIRE in 69s; lastdpd=-1s(seq in:0 out:0)
000 #325: "berfon" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 4487s; newest IPSEC; eroute owner
000 #325: "berfon" esp.db3b1213 at 68.191.189.34
esp.2ad1b693 at 216.170.136.82 comp.90f2 at 68.191.189.34
comp.d0e9 at 216.170.136.82 tun.0 at 68.191.189.34 tun.0 at 216.170
.136.82
000 #314: "fonnee" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 1716s; newest IPSEC; eroute owner
000 #314: "fonnee" esp.e7e313c5 at 216.170.169.70
esp.1445a13a at 216.170.136.82 comp.d23a at 216.170.169.70
comp.4702 at 216.170.136.82 tun.0 at 216.170.169.70 tun.0 at 216.
170.136.82
000 #1535: "fonnee" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 473s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #1556: "johnmfondy" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 2365s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #319: "johnmfondy" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 3480s; newest IPSEC; eroute owner
000 #319: "johnmfondy" esp.9ae9bbd at 24.164.227.25
esp.6652f60d at 216.170.136.82 comp.31a at 24.164.227.25
comp.6a12 at 216.170.136.82 tun.0 at 24.164.227.25 tun.0 at 216.1
70.136.82
000 #1546: "oshfon" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 1617s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #317: "oshfon" STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 2772s; newest IPSEC; eroute owner
000 #317: "oshfon" esp.b4c6f28d at 216.170.138.63
esp.88eb8bf6 at 216.170.136.82 comp.b6f3 at 216.170.138.63
comp.2886 at 216.170.136.82 tun.0 at 216.170.138.63 tun.0 at 216.
170.136.82
000 #1571: "prviewfondy" STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 20s; lastdpd=-1s(seq in:0 out:0)
000 #1554: "prviewfondy" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 2101s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0)
000
000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
000 192.168.2.12/32:0 -6-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
000 192.168.2.12/32:0 -6-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0 %acquire-netlink
... many pages of just like above.
192.168.10.1 is on the dialup side.
Any ideas?
Thanks
John
John McMonagle wrote:
> I installed 2.3.0-2 on all 6 firewalls with 10 connections.
>
> Not really thrilled about building my own debian packages from scratch
> unless I have to.
>
> Was getting a bit nervous as it didn't seem to help until I did them all.
> Seems better now. it's much more usable.
>
> This morning the particular connection I gave earlier did not come up.
> On the dial up side it did not add?
> The other vpn connection that I have not mentioned so far came up fine.
>
> This that I did this morning:
>
> prvroute:~# ipsec auto --up prviewfondy
> 021 no connection named "prviewfondy"
> prvroute:~# ipsec auto --add prviewfondy
> prvroute:~# ipsec auto --up prviewfondy
> 104 "prviewfondy" #14: STATE_MAIN_I1: initiate
> 003 "prviewfondy" #14: received Vendor ID payload [Dead Peer Detection]
> 106 "prviewfondy" #14: STATE_MAIN_I2: sent MI2, expecting MR2
> 108 "prviewfondy" #14: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 "prviewfondy" #14: STATE_MAIN_I4: ISAKMP SA established
> 117 "prviewfondy" #15: STATE_QUICK_I1: initiate
> 004 "prviewfondy" #15: STATE_QUICK_I2: sent QI2, IPsec SA established
> {ESP=>0x46cc6d45 <0x85912bd9 IPCOMP=>0x000040c4 <0x00007367}
>
> One thing to note I'm using old freeswan style rsa key setup.
> Any chance it couldn't resolve the tfondy.advocap.org and didn't add it?
> It is static so I could put it in the hosts file.
>
> Forgot to check ipsec auto --status before adding prviewfondy :(
>
> There are a few errors indicated in the log.
> In particalar wonder about the "No buffer space available" message?
>
> Here is the ipsec stuff from the log when it dialed up last night:
> May 16 23:44:21 prvroute ipsec__plutorun: Starting Pluto subsystem...
> May 16 23:44:23 prvroute pluto[17773]: Starting Pluto (Openswan
> Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
> May 16 23:44:23 prvroute pluto[17773]: Setting port floating to off
> May 16 23:44:23 prvroute pluto[17773]: port floating activate 0/1
> May 16 23:44:23 prvroute pluto[17773]: including NAT-Traversal patch
> (Version 0.6c) [disabled]
> May 16 23:44:23 prvroute pluto[17773]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> May 16 23:44:23 prvroute pluto[17773]: starting up 1 cryptographic
> helpers
> May 16 23:44:23 prvroute pluto[17773]: started helper pid=17774 (fd:6)
> May 16 23:44:23 prvroute pluto[17773]: Using Linux 2.6 IPsec interface
> code
> May 16 23:44:23 prvroute pluto[17773]: Changing to directory
> '/etc/ipsec.d/cacerts'
> May 16 23:44:23 prvroute pluto[17773]: loaded CA cert file
> 'cacert.pem' (1281 bytes)
> May 16 23:44:23 prvroute pluto[17773]: Could not change to directory
> '/etc/ipsec.d/aacerts'
> May 16 23:44:23 prvroute pluto[17773]: Changing to directory
> '/etc/ipsec.d/ocspcerts'
> May 16 23:44:23 prvroute pluto[17773]: Changing to directory
> '/etc/ipsec.d/crls'
> May 16 23:44:23 prvroute pluto[17773]: Warning: empty directory
> May 16 23:44:37 prvroute pluto[17773]: added connection description
> "prviewoshkosh"
> May 16 23:44:58 prvroute pluto[17773]: listening for IKE messages
> May 16 23:44:58 prvroute pluto[17773]: adding interface ppp0/ppp0
> 216.127.203.221
> May 16 23:44:58 prvroute pluto[17773]: adding interface eth0/eth0
> 192.168.10.254
> May 16 23:44:58 prvroute pluto[17773]: adding interface lo/lo 127.0.0.1
> May 16 23:44:58 prvroute pluto[17773]: adding interface lo/lo ::1
> May 16 23:44:58 prvroute pluto[17773]: loading secrets from
> "/etc/ipsec.secrets"
> May 16 23:44:58 prvroute pluto[17773]: "prviewoshkosh" #1: initiating
> Main Mode
> May 16 23:44:58 prvroute pluto[17773]: | no IKE algorithms for this
> connection
> May 16 23:44:58 prvroute pluto[17773]: ERROR: "prviewoshkosh" #1:
> sendto on ppp0 to 216.170.138.63:500 failed in main_outI1. Errno 105:
> No buffer space avai
> lable
> May 16 23:45:00 prvroute pluto[17773]: packet from 216.170.138.63:500:
> received Vendor ID payload [Dead Peer Detection]
> May 16 23:45:00 prvroute pluto[17773]: "prviewoshkosh" #2: responding
> to Main Mode
> May 16 23:45:00 prvroute pluto[17773]: "prviewoshkosh" #2: transition
> from state STATE_MAIN_R0 to state STATE_MAIN_R1
> May 16 23:45:00 prvroute pluto[17773]: ERROR: "prviewoshkosh" #2:
> sendto on ppp0 to 216.170.138.63:500 failed in STATE_MAIN_R0. Errno
> 105: No buffer space a
> vailable
> May 16 23:45:13 prvroute pluto[17773]: "prviewoshkosh" #1: received
> Vendor ID payload [Dead Peer Detection]
> May 16 23:45:13 prvroute pluto[17773]: "prviewoshkosh" #1: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> May 16 23:45:13 prvroute pluto[17773]: ERROR: "prviewoshkosh" #1:
> sendto on ppp0 to 216.170.138.63:500 failed in STATE_MAIN_I1. Errno
> 105: No buffer space a
> vailable
> May 16 23:45:23 prvroute pluto[17773]: "prviewoshkosh" #1: discarding
> duplicate packet; already STATE_MAIN_I2
> May 16 23:45:23 prvroute pluto[17773]: ERROR: "prviewoshkosh" #1:
> sendto on ppp0 to 216.170.138.63:500 failed in EVENT_RETRANSMIT. Errno
> 105: No buffer spac
> e available
> May 16 23:45:28 prvroute pluto[17773]: "prviewoshkosh" #2: transition
> from state STATE_MAIN_R1 to state STATE_MAIN_R2
> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: Main mode
> peer ID is ID_FQDN: '@oshkosh.advocap.org'
> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: I did not
> send a certificate because I do not have one.
> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: transition
> from state STATE_MAIN_R2 to state STATE_MAIN_R3
> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: sent MR3,
> ISAKMP SA established
> May 16 23:45:34 prvroute pluto[17773]: "prviewoshkosh" #3: responding
> to Quick Mode
> May 16 23:45:34 prvroute pluto[17773]: "prviewoshkosh" #3: transition
> from state STATE_QUICK_R0 to state STATE_QUICK_R1
> May 16 23:45:34 prvroute pluto[17773]: packet from 216.170.136.82:500:
> received Vendor ID payload [Dead Peer Detection]
> May 16 23:45:34 prvroute pluto[17773]: packet from 216.170.136.82:500:
> initial Main Mode message received on 216.127.203.221:500 but no
> connection has been
> authorized
> May 16 23:45:40 prvroute pluto[17773]: "prviewoshkosh" #3: transition
> from state STATE_QUICK_R1 to state STATE_QUICK_R2
> May 16 23:45:40 prvroute pluto[17773]: "prviewoshkosh" #3: IPsec SA
> established {ESP=>0xf06c3853 <0xbe9f5c2e IPCOMP=>0x000083b6 <0x0000a55d}
> May 16 23:45:42 prvroute pluto[17773]: "prviewoshkosh" #1: discarding
> duplicate packet; already STATE_MAIN_I2
> May 16 23:45:48 prvroute pluto[17773]: "prviewoshkosh" #1: I did not
> send a certificate because I do not have one.
> May 16 23:45:48 prvroute pluto[17773]: "prviewoshkosh" #1: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #1: Main mode
> peer ID is ID_FQDN: '@oshkosh.advocap.org'
> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #1: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #1: ISAKMP SA
> established
> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #4: initiating
> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
> May 16 23:45:56 prvroute pluto[17773]: "prviewoshkosh" #4: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> May 16 23:45:56 prvroute pluto[17773]: "prviewoshkosh" #4: sent QI2,
> IPsec SA established {ESP=>0x45f85a1d <0xe8857ed6 IPCOMP=>0x0000c8e3
> <0x00004c4b}
> May 16 23:46:14 prvroute pluto[17773]: packet from 216.170.136.82:500:
> received Vendor ID payload [Dead Peer Detection]
> May 16 23:46:14 prvroute pluto[17773]: packet from 216.170.136.82:500:
> initial Main Mode message received on 216.127.203.221:500 but no
> connection has been
> authorized
> May 16 23:46:54 prvroute pluto[17773]: packet from 216.170.136.82:500:
> received Vendor ID payload [Dead Peer Detection]
> May 16 23:46:54 prvroute pluto[17773]: packet from 216.170.136.82:500:
> initial Main Mode message received on 216.127.203.221:500 but no
> connection has been
> authorized
> May 16 23:47:34 prvroute pluto[17773]: packet from 216.170.136.82:500:
> received Vendor ID payload [Dead Peer Detection]
> May 16 23:47:34 prvroute pluto[17773]: packet from 216.170.136.82:500:
> initial Main Mode message received on 216.127.203.221:500 but no
> connection has been
>
> 216.170.136.82 is the connection that did not add properly.
>
> Thanks for the help.
>
> John
>
>
> Paul Wouters wrote:
>
>> On Mon, 16 May 2005, John McMonagle wrote:
>>
>>> There is 2.3.0-2 in debian unstable will that be good enough?
>>
>>
>>
>> I do not know what patches that includes. In the next few days, 2.3.2
>> will be released. It is currently being tested by Xelerance.
>>
>> Paul
>>
>>> John
>>>
>>> Paul Wouters wrote:
>>>
>>>> On Mon, 16 May 2005, John McMonagle wrote:
>>>>
>>>>> Using openswan 2.2.0-4
>>>>
>>>>
>>>>
>>>>
>>>> You are running into racing IPsec SA's, so you're continiously
>>>> rekeying,
>>>> while during some of the time, your connection is up. This is a
>>>> known issue
>>>> with 2.2.x.
>>>>
>>>> Please upgrade to 2.3.1
>>>>
>>>> Paul
>>>>
>>>>> On dial up side using diald set to keep up the connection if
>>>>> possible.
>>>>> Scripts bring up ipsec after connecting and stop ipsec after
>>>>> connection goes down.
>>>>>
>>>>> Checking the logs that seems to work properly
>>>>>
>>>>> Problem is it either doesn't come up or it sort of works with a
>>>>> high load particularly on the dial up side.
>>>>> Dial up sides load is about 3 although it pretty much idle, pluto
>>>>> is the top load.
>>>>>
>>>>> At best ping time is about 200ms can be a few seconds.
>>>>>
>>>>> Some times it works Ok.
>>>>> Some times I need to do
>>>>> ipsec auto --down prviewfondy
>>>>> On both ends and start it on one end.
>>>>>
>>>>>
>>>>> On the dsl side am getting message like this on auth.log. Link
>>>>> came up at 3:38:
>>>>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672:
>>>>> starting keying attempt 46 of an unlimited number
>>>>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> initiating Main Mode to replace #147672
>>>>> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> ERROR: asynchronous network error report on eth1 for message to
>>>>> 216.127.203.221 port 500, complainant 216.127.203.221: Connection
>>>>> refused [errno 111, origin ICMP type 3 code 3 (not authen
>>>>> ticated)]
>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>> responding to Main Mode
>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>> transition from state (null) to state STATE_MAIN_R1
>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer
>>>>> ID is ID_FQDN: '@prview.advocap.org'
>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I did
>>>>> not send a certificate because I do not have one.
>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>> multiple ipsec.secrets entries with distinct secrets match endp
>>>>> oints: first secret used
>>>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent
>>>>> MR3, ISAKMP SA established
>>>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>> responding to Quick Mode
>>>>> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>>>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676: IPsec
>>>>> SA established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
>>>>> 0770e <0x00003fbf}
>>>>> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>>> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> discarding duplicate packet; already STATE_MAIN_I2
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I did
>>>>> not send a certificate because I do not have one.
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> multiple ipsec.secrets entries with distinct secrets match endp
>>>>> oints: first secret used
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer
>>>>> ID is ID_FQDN: '@prview.advocap.org'
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>> ISAKMP SA established
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>> ing isakmp#147673}
>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>
>>>>> Same from dialup side:
>>>>> May 16 03:39:28 prvroute pluto[25943]: added connection
>>>>> description "prviewfondy"
>>>>> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2:
>>>>> initiating Main Mode
>>>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2:
>>>>> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did not
>>>>> send a certificate because I do not have one.
>>>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2:
>>>>> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID
>>>>> is ID_FQDN: '@fondy.advocap.org'
>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2:
>>>>> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP SA
>>>>> established
>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4:
>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
>>>>> isakmp#2}
>>>>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4:
>>>>> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent QI2,
>>>>> IPsec SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
>>>>>
>>>>>> 0x00003fbf <0x0000770e}
>>>>>
>>>>>
>>>>>
>>>>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7:
>>>>> responding to Main Mode
>>>>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7:
>>>>> transition from state (null) to state STATE_MAIN_R1
>>>>> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7:
>>>>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID
>>>>> is ID_FQDN: '@fondy.advocap.org'
>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did not
>>>>> send a certificate because I do not have one.
>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7:
>>>>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent MR3,
>>>>> ISAKMP SA established
>>>>> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14:
>>>>> responding to Quick Mode
>>>>> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14:
>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>> .........................................
>>>>> lot more of the same then
>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max
>>>>> number of retransmissions (2) reached STATE_QUICK_R1
>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max
>>>>> number of retransmissions (2) reached STATE_QUICK_R1
>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max
>>>>> number of retransmissions (2) reached STATE_QUICK_R1
>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82:
>>>>> responding to Quick Mode
>>>>> ..........................................
>>>>> Get some of these:
>>>>> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick Mode
>>>>> I1 message is unacceptable because it uses a previously
>>>>> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
>>>>> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending
>>>>> encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
>>>>> :500
>>>>>
>>>>>
>>>>> ipsec.conf on dialup end:
>>>>> conn prviewfondy
>>>>> authby=rsasig
>>>>> compress=yes
>>>>> # Left security gateway, subnet behind it, next hop toward it.
>>>>> leftid=@prview.advocap.org
>>>>> leftrsasigkey=0sAQN....wJ
>>>>> left=%defaultroute
>>>>> leftsubnet=192.168.10.0/24
>>>>> # Right security gateway, subnet behind it, next hop toward it.
>>>>> right=tfondy.advocap.org
>>>>> rightid=@fondy.advocap.org
>>>>> rightrsasigkey=0x0103............7d
>>>>> rightsubnet=192.168.2.0/24
>>>>> auto=start
>>>>>
>>>>> ipsec.conf on dsl end:
>>>>>
>>>>> conn prviewfondy
>>>>> authby=rsasig
>>>>> compress=yes
>>>>> leftid=@prview.advocap.org
>>>>> leftrsasigkey=0sAQNu.........O/wJ
>>>>> left=hdstart.dotnet.com
>>>>> leftsubnet=192.168.10.0/24
>>>>> right=tfondy.advocap.org
>>>>> rightid=@fondy.advocap.org
>>>>> rightrsasigkey=0x0103a8..........7d
>>>>> rightsubnet=192.168.2.0/24
>>>>>
>>>>> auto=start
>>>>>
>>>>> Have a bunch of vpn links the none dialups that are working fine.
>>>>>
>>>>> My wild guess is that the dsl side is confused by the link going
>>>>> down.
>>>>> Should I just be staring from one side?
>>>>> Any suggestions.
>>>>>
>>>>> John
>>>>>
>>>
>>>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
More information about the Users
mailing list