[Openswan Users] Stuck with rekeying problem, initiated QM from Openswan

Paul Wouters paul at xelerance.com
Thu May 19 11:31:51 CEST 2005 

On Thu, 19 May 2005, Steffen Becker wrote:

> In case of rekeying of the SA and if the rekeying is initiated by Openswan
> it fails:
> ----------------------
> 17:57:33 pluto[16368] "WLAN"[2] 192.168.254.3 #6: IPsec SA established
> 18:53:03 pluto[16368] "WLAN"[2] 192.168.254.3 #7: initiating Quick Mode
> RSASIG+ENCRYPT to replace #6
> 18:53:04 pluto[16368] "WLAN"[2] 192.168.254.3 #5: ignoring informational
> payload, type INVALID_ID_INFORMATION

Windows does not like your id setting for phase 2 (ipsec sa)

> 18:54:13 pluto[16368] "WLAN"[2] 192.168.254.3 #8: initiating Quick Mode
> RSASIG+ENCRYPT to replace #7
> 18:54:13 pluto[16368] "WLAN"[2] 192.168.254.3 #5: ignoring informational
> payload, type INVALID_ID_INFORMATION

So initiating goes wrong.

> 18:57:00 pluto[16368] "WLAN"[2] 192.168.254.3 #11: responding to Quick Mode
> 18:57:00 pluto[16368] "WLAN"[2] 192.168.254.3 #11: transition from state
> (null) to state STATE_QUICK_R1
> 18:57:00 pluto[16368] "WLAN"[2] 192.168.254.3 #11: transition from state
> STATE_QUICK_R1 to state STATE_QUICK_R2
> 18:57:00 pluto[16368] "WLAN"[2] 192.168.254.3 #11: IPsec SA established

Responding works.

> 5-18: 18:57:45:781:d6c Checking Transform # 1: ID=Dreifach-DES CBC(3)
> 5-18: 18:57:45:781:d6c  tunnel mode is Übertragungsmodus(2)
> 5-18: 18:57:45:781:d6c  SA life type in seconds
> 5-18: 18:57:45:781:d6c  SA life duration 3600
> 5-18: 18:57:45:781:d6c  HMAC algorithm is SHA(2)
> 5-18: 18:57:45:781:d6c Finding Responder Policy for SRC=192.168.254.1.1701
> DST=192.168.254.3.1701, SRCMask=255.255.255.255, DSTMask=255.255.255.255,
> Prot=17 InTunnelEndpt 3fea8c0 OutTunnelEndpt 1fea8c0
> 5-18: 18:57:45:791:d6c Failed to get TunnelPolicy 13015

Seems it fails to find the proper settings for the conn. This one is for
port 1701, so did you configure things for L2TP on both ends?

> 5-18: 18:57:45:791:d6c Responder failed to match filter(Phase II) 13015
> 5-18: 18:57:45:791:d6c Datenschutzmodus (Schnellmodus)
> 5-18: 18:57:45:791:d6c Quell-IP-Adresse 192.168.254.3  Quell-IP-Adressmaske
> 255.255.255.255  Ziel-IP-Adresse 192.168.254.1  Ziel-IP-Adressmaske
> 255.255.255.255  Protokoll 17  Quellport 1701  Zielport 1701  Lokale
> IKE-Adresse 192.168.254.3  Peer-IKE-Adresse 192.168.254.1
> 5-18: 18:57:45:791:d6c Zertifikatsbasierte Identität.   Peerantragsteller
> C=DE, S=Niedersachsen, L=Oldenburg, O=Uni Oldenburg, OU=StB,
> CN=ipcop.zuhause.xx  Peer-SHA-Fingerabdruck
> afee433ca7589b1da3579ce4ff424e63b6ae953e  Peer, der die
> Zertifizierungsstelle ausstellt: C=DE, S=Niedersachsen, L=Oldenburg, O=Uni
> Oldenburg, OU=StB, CN=IPSec WLAN Root CA,
> E=becker at informatik.uni-oldenburg.de  Stammzertifizierungsstelle C=DE,
> S=Niedersachsen, L=Oldenburg, O=Uni Oldenburg, OU=StB, CN=IPSec WLAN Root
> CA, E=becker at informatik.uni-oldenburg.de  Eigener Antragsteller C=DE,
> S=Niedersachsen, L=Oldenburg, O=Uni Oldenburg, OU=StB, CN=sam.zuhause.xx
> Eigener SHA-Fingerabdruck 951f1d09764c86b3e1f8db8b6fdcc7514978ac52
> Peer-IP-Adresse: 192.168.254.1
> 5-18: 18:57:45:791:d6c Benutzer
> 5-18: 18:57:45:791:d6c Keine Richtlinie konfiguriert.
> 5-18: 18:57:45:791:d6c 0x0 0x0

Seems you did. I'd say there is still a subtle error somewhere. I have not
tested L2TP with openswan-1. It is very old. You can try switching to openswan-2.

> 19:37:22 pluto[12677] "WLAN"[4] 192.168.254.3 #7: IPsec SA established
> 20:35:05 pluto[12677] "WLAN"[4] 192.168.254.3 #6: received Delete SA
> payload: deleting IPSEC State #7
> 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #6: received and ignored
> informational message
> 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #8: responding to Quick Mode
> 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #8: transition from state
> (null) to state STATE_QUICK_R1
> 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #8: discarding duplicate
> packet; already STATE_QUICK_R1
> 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #9: initiating Quick Mode
> RSASIG+ENCRYPT+TUNNEL+DONTREKEY

This is because you now turn back to initiate. If you use rekey=no on the
openswan end, only the windows end will initiate, and this will not happen.

> Im desperate and I googled for days now. Anyone with an idea or an
> explanation what is wrong here??? One more hint: I tried the settings with
> plain IPSec and it shows the same wrong behaviour. Only in the oakley.log
> there is a different failure "Failed to create dynamic policy" which sound
> totally bad. Maybe me XP setup is broken?

I don't know what the problem is. But your openswan-1 is very old.

Paul

More information about the Users mailing list