[Openswan Users] Stuck with rekeying problem, initiated QM from Openswan

Steffen Becker becker at informatik.uni-oldenburg.de
Thu May 19 13:16:43 CEST 2005 

Hi,

Even if you don't sound promissing I'll post the answers to your questions:

> > 5-18: 18:57:45:781:d6c Checking Transform # 1: 
> ID=Dreifach-DES CBC(3)
> > 5-18: 18:57:45:781:d6c  tunnel mode is Übertragungsmodus(2)
> > 5-18: 18:57:45:781:d6c  SA life type in seconds
> > 5-18: 18:57:45:781:d6c  SA life duration 3600
> > 5-18: 18:57:45:781:d6c  HMAC algorithm is SHA(2)
> > 5-18: 18:57:45:781:d6c Finding Responder Policy for 
> SRC=192.168.254.1.1701
> > DST=192.168.254.3.1701, SRCMask=255.255.255.255, 
> DSTMask=255.255.255.255,
> > Prot=17 InTunnelEndpt 3fea8c0 OutTunnelEndpt 1fea8c0
> > 5-18: 18:57:45:791:d6c Failed to get TunnelPolicy 13015
> 
> Seems it fails to find the proper settings for the conn. This 
> one is for
> port 1701, so did you configure things for L2TP on both ends?

Yes, on openswan I used the "usual" howto of Jacco. And for Win XP I use the
wizard, e.g., I don't configure IPSec - Windows does it. Maybe it doesn't
configure responding to QM initializations for L2TP at all...

> > 5-18: 18:57:45:791:d6c Benutzer
> > 5-18: 18:57:45:791:d6c Keine Richtlinie konfiguriert.
> > 5-18: 18:57:45:791:d6c 0x0 0x0
> 
> Seems you did. I'd say there is still a subtle error 
> somewhere. I have not
> tested L2TP with openswan-1. It is very old. You can try 
> switching to openswan-2.
I would but I'm unable to patch IPCop myself in an appropriate way.....
Maybe someone knows how to do that?

> > 19:37:22 pluto[12677] "WLAN"[4] 192.168.254.3 #7: IPsec SA 
> established
> > 20:35:05 pluto[12677] "WLAN"[4] 192.168.254.3 #6: received Delete SA
> > payload: deleting IPSEC State #7
> > 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #6: received 
> and ignored
> > informational message
> > 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #8: 
> responding to Quick Mode
> > 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #8: 
> transition from state
> > (null) to state STATE_QUICK_R1
> > 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #8: 
> discarding duplicate
> > packet; already STATE_QUICK_R1
> > 20:35:09 pluto[12677] "WLAN"[4] 192.168.254.3 #9: 
> initiating Quick Mode
> > RSASIG+ENCRYPT+TUNNEL+DONTREKEY
> 
> This is because you now turn back to initiate. If you use 
> rekey=no on the
> openswan end, only the windows end will initiate, and this 
> will not happen.
I have to correct you. In this run I had rekey=no as you can see in the log
+DONTREKEY...

> > Im desperate and I googled for days now. Anyone with an idea or an
> > explanation what is wrong here??? One more hint: I tried 
> the settings with
> > plain IPSec and it shows the same wrong behaviour. Only in 
> the oakley.log
> > there is a different failure "Failed to create dynamic 
> policy" which sound
> > totally bad. Maybe me XP setup is broken?
> 
> I don't know what the problem is. But your openswan-1 is very old.
Nevertheless, thank your for the explanation attempt.

Cheers,
Steffen

------------------------------------------------------------------------
Dipl. Wirtsch. Inform. Steffen Becker, DFG Junior Research Group "Palladio",
Fk 2, Department of Computing Science, Software Engineering Group 
CvO Universität Oldenburg / OFFIS, Escherweg 2, D-26121 Oldenburg
Email: becker at informatik.uni-oldenburg.de
URL: http://se.informatik.uni-oldenburg.de
Voice: +49 441 9722-582 (-501, secr.) Fax: +49 441 9722-502
------------------------------------------------------------------------

More information about the Users mailing list