[Openswan Users] Problems on dialup vpn

John McMonagle johnm at advocap.org
Thu May 19 18:45:29 CEST 2005


Found it!

In my experiments   deleted leftsubnet line by mistake

Did "setkey -DP" on both ends and it was pretty obvious.
Need to remember that.

Thanks

John


John McMonagle wrote:

> It dialed up again.
>
> This time I can not get the vpn connection to work no matter what I do :(
>
> On the dial up side there is one other connection and it comes up
> right away.
> On the dsl end there are  4 other connections that are working.
>
> bring up on dsl  side does:
> ipsec auto --up prviewfondy
> 117 "prviewfondy" #1555: STATE_QUICK_I1: initiate
> 010 "prviewfondy" #1555: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> 010 "prviewfondy" #1555: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> 031 "prviewfondy" #1555: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode
> message: perhaps peer likes no proposal
> 000 "prviewfondy" #1555: starting keying attempt 2 of an unlimited
> number, but releasing whack
>
> prvroute:/var/log# ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.10.254
> 000 interface ppp0/ppp0 216.127.203.221
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "prviewfondy":
> 216.127.203.221[@prview.advocap.org]...216.170.136.82[@fondy.advocap.org]===192.168.2.0/24;
> prospective erouted; eroute owner: #0
> 000 "prviewfondy":     srcip=unset; dstip=unset
> 000 "prviewfondy":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "prviewfondy":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
> prio: 32,24; interface: ppp0;
> 000 "prviewfondy":   newest ISAKMP SA: #2; newest IPsec SA: #0;
> 000 "prviewfondy":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "prviewoshkosh":
> 192.168.10.0/24===216.127.203.221[@prview.advocap.org]...216.170.138.63[@oshkosh.advocap.org]===192.168.1.0/24;
> erouted; eroute owner:#6
> 000 "prviewoshkosh":     srcip=unset; dstip=unset
> 000 "prviewoshkosh":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "prviewoshkosh":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
> prio: 24,24; interface: ppp0;
> 000 "prviewoshkosh":   newest ISAKMP SA: #5; newest IPsec SA: #6;
> 000 "prviewoshkosh":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #24: "prviewfondy" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 12s; lastdpd=-1s(seq in:0 out:0)
> 000 #23: "prviewfondy" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 26s; lastdpd=-1s(seq in:0 out:0)
> 000 #2: "prviewfondy" STATE_MAIN_I4 (ISAKMP SA established); none in
> -1s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000 #3: "prviewoshkosh" STATE_QUICK_I2 (sent QI2, IPsec SA
> established); EVENT_SA_REPLACE in 26655s
> 000 #3: "prviewoshkosh" esp.bea360ff at 216.170.138.63
> esp.d70e5c21 at 216.127.203.221 comp.7df5 at 216.170.138.63
> comp.7229 at 216.127.203.221 tun.0 at 216.170.138.63 tun.0 at 216.127.203.221
> 000 #1: "prviewoshkosh" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 1875s; lastdpd=-1s(seq in:0 out:0)
> 000 #6: "prviewoshkosh" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 27472s; newest IPSEC; eroute owner
> 000 #6: "prviewoshkosh" esp.6d054422 at 216.170.138.63
> esp.44c6dffb at 216.127.203.221 comp.66ff at 216.170.138.63
> comp.167d at 216.127.203.221 tun.0 at 216.170.138.63 tun.0 at 216.127.203.221
> 000 #5: "prviewoshkosh" STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 2268s; newest ISAKMP;
> lastdpd=-1s(seq in:0 out:0)
> 000
>
>
> Bring up on dialup side:
>
> prvroute:/var/log# ipsec auto --up prviewfondy
> 117 "prviewfondy" #19: STATE_QUICK_I1: initiate
> 010 "prviewfondy" #19: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> 010 "prviewfondy" #19: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> 031 "prviewfondy" #19: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode
> message: perhaps peer likes no proposal
> 000 "prviewfondy" #19: starting keying attempt 2 of an unlimited
> number, but releasing whack
>
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 192.168.2.254
> 000 interface eth0:1/eth0:1 192.168.2.201
> 000 interface eth1/eth1 216.170.136.82
> 000 interface eth2/eth2 24.196.120.30
> 000 %myid = (none)
> 000 debug none
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> keysizemin=192, keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> keysizemin=40, keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> keysizemin=0, keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> trans={0,0,0} attrs={0,0,0}
> 000
> 000 "berfon":
> 192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...68.191.189.34[@berlin.advocap.org]===192.168.4.0/24;
> erouted; eroute owner: #325
> 000 "berfon":     srcip=unset; dstip=unset
> 000 "berfon":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "berfon":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
> 24,24; interface: eth1;
> 000 "berfon":   newest ISAKMP SA: #1560; newest IPsec SA: #325;
> 000 "berfon":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "fonnee":
> 192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...216.170.169.70[@neenah.advocap.org]===192.168.3.0/24;
> erouted; eroute owner: #314
> 000 "fonnee":     srcip=unset; dstip=unset
> 000 "fonnee":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "fonnee":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
> 24,24; interface: eth1;
> 000 "fonnee":   newest ISAKMP SA: #1535; newest IPsec SA: #314;
> 000 "fonnee":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "johnmfondy":
> 192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...24.164.227.25[@jm.advocap.org]===192.168.101.0/24;
> erouted; eroute owner: #319
> 000 "johnmfondy":     srcip=unset; dstip=unset
> 000 "johnmfondy":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 1
> 000 "johnmfondy":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS; prio:
> 24,24; interface: eth1;
> 000 "johnmfondy":   newest ISAKMP SA: #1556; newest IPsec SA: #319;
> 000 "johnmfondy":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "oshfon":
> 192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...216.170.138.63[@oshkosh.advocap.org]===192.168.1.0/24;
> erouted; eroute owner: #317
> 000 "oshfon":     srcip=unset; dstip=unset
> 000 "oshfon":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "oshfon":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio:
> 24,24; interface: eth1;
> 000 "oshfon":   newest ISAKMP SA: #1546; newest IPsec SA: #317;
> 000 "oshfon":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 "prviewfondy":
> 192.168.2.0/24===216.170.136.82[@fondy.advocap.org]...216.127.203.221[@prview.advocap.org]===192.168.10.0/24;
> unrouted; eroute owner: #0
> 000 "prviewfondy":     srcip=unset; dstip=unset
> 000 "prviewfondy":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "prviewfondy":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP;
> prio: 24,24; interface: eth1;
> 000 "prviewfondy":   newest ISAKMP SA: #1554; newest IPsec SA: #0;
> 000 "prviewfondy":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000
> 000 #1560: "berfon" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 2161s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000 #1445: "berfon" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_EXPIRE in 69s; lastdpd=-1s(seq in:0 out:0)
> 000 #325: "berfon" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 4487s; newest IPSEC; eroute owner
> 000 #325: "berfon" esp.db3b1213 at 68.191.189.34
> esp.2ad1b693 at 216.170.136.82 comp.90f2 at 68.191.189.34
> comp.d0e9 at 216.170.136.82 tun.0 at 68.191.189.34 tun.0 at 216.170
> .136.82
> 000 #314: "fonnee" STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 1716s; newest IPSEC; eroute owner
> 000 #314: "fonnee" esp.e7e313c5 at 216.170.169.70
> esp.1445a13a at 216.170.136.82 comp.d23a at 216.170.169.70
> comp.4702 at 216.170.136.82 tun.0 at 216.170.169.70 tun.0 at 216.
> 170.136.82
> 000 #1535: "fonnee" STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 473s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000 #1556: "johnmfondy" STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 2365s; newest ISAKMP;
> lastdpd=-1s(seq in:0 out:0)
> 000 #319: "johnmfondy" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 3480s; newest IPSEC; eroute owner
> 000 #319: "johnmfondy" esp.9ae9bbd at 24.164.227.25
> esp.6652f60d at 216.170.136.82 comp.31a at 24.164.227.25
> comp.6a12 at 216.170.136.82 tun.0 at 24.164.227.25 tun.0 at 216.1
> 70.136.82
> 000 #1546: "oshfon" STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 1617s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
> 000 #317: "oshfon" STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 2772s; newest IPSEC; eroute owner
> 000 #317: "oshfon" esp.b4c6f28d at 216.170.138.63
> esp.88eb8bf6 at 216.170.136.82 comp.b6f3 at 216.170.138.63
> comp.2886 at 216.170.136.82 tun.0 at 216.170.138.63 tun.0 at 216.
> 170.136.82
> 000 #1571: "prviewfondy" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 20s; lastdpd=-1s(seq in:0 out:0)
> 000 #1554: "prviewfondy" STATE_MAIN_R3 (sent MR3, ISAKMP SA
> established); EVENT_SA_REPLACE in 2101s; newest ISAKMP;
> lastdpd=-1s(seq in:0 out:0)
> 000
> 000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> 000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> 000 192.168.2.12/32:0 -6-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> 000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> 000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> 000 192.168.2.12/32:0 -6-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> 000 192.168.2.1/32:0 -1-> 192.168.10.1/32:0 => %hold 0   
> %acquire-netlink
> ... many pages of  just like above.
>
> 192.168.10.1 is on the dialup side.
>
> Any ideas?
>
> Thanks
>
> John
> John McMonagle wrote:
>
>> I installed 2.3.0-2 on all 6 firewalls with 10 connections.
>>
>> Not really thrilled about building my own debian packages from
>> scratch unless I have to.
>>
>> Was getting a bit nervous as it didn't seem to help until I did them
>> all.
>> Seems better now.  it's much more usable.
>>
>> This morning  the particular connection I  gave earlier did not come up.
>> On the dial up side it did not add?
>> The other vpn connection that  I have not mentioned so far came up fine.
>>
>> This that I did this morning:
>>
>> prvroute:~# ipsec auto --up prviewfondy
>> 021 no connection named "prviewfondy"
>> prvroute:~# ipsec auto --add prviewfondy
>> prvroute:~# ipsec auto --up prviewfondy
>> 104 "prviewfondy" #14: STATE_MAIN_I1: initiate
>> 003 "prviewfondy" #14: received Vendor ID payload [Dead Peer Detection]
>> 106 "prviewfondy" #14: STATE_MAIN_I2: sent MI2, expecting MR2
>> 108 "prviewfondy" #14: STATE_MAIN_I3: sent MI3, expecting MR3
>> 004 "prviewfondy" #14: STATE_MAIN_I4: ISAKMP SA established
>> 117 "prviewfondy" #15: STATE_QUICK_I1: initiate
>> 004 "prviewfondy" #15: STATE_QUICK_I2: sent QI2, IPsec SA established
>> {ESP=>0x46cc6d45 <0x85912bd9 IPCOMP=>0x000040c4 <0x00007367}
>>
>> One thing to note I'm using old freeswan style rsa key setup.
>> Any chance it couldn't resolve the tfondy.advocap.org and didn't  add
>> it?
>> It is  static so I could put it in the hosts file.
>>
>> Forgot to check ipsec auto --status before adding prviewfondy :(
>>
>> There are a few errors indicated in the log.
>> In particalar wonder about the "No buffer space available"  message?
>>
>> Here is  the ipsec stuff from the log when it dialed up last night:
>> May 16 23:44:21 prvroute ipsec__plutorun: Starting Pluto subsystem...
>> May 16 23:44:23 prvroute pluto[17773]: Starting Pluto (Openswan
>> Version 2.3.0 X.509-1.5.4 PLUTO_USES_KEYRR)
>> May 16 23:44:23 prvroute pluto[17773]: Setting port floating to off
>> May 16 23:44:23 prvroute pluto[17773]: port floating activate 0/1
>> May 16 23:44:23 prvroute pluto[17773]:   including NAT-Traversal
>> patch (Version 0.6c) [disabled]
>> May 16 23:44:23 prvroute pluto[17773]: ike_alg_register_enc():
>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>> May 16 23:44:23 prvroute pluto[17773]: starting up 1 cryptographic
>> helpers
>> May 16 23:44:23 prvroute pluto[17773]: started helper pid=17774 (fd:6)
>> May 16 23:44:23 prvroute pluto[17773]: Using Linux 2.6 IPsec
>> interface code
>> May 16 23:44:23 prvroute pluto[17773]: Changing to directory
>> '/etc/ipsec.d/cacerts'
>> May 16 23:44:23 prvroute pluto[17773]:   loaded CA cert file
>> 'cacert.pem' (1281 bytes)
>> May 16 23:44:23 prvroute pluto[17773]: Could not change to directory
>> '/etc/ipsec.d/aacerts'
>> May 16 23:44:23 prvroute pluto[17773]: Changing to directory
>> '/etc/ipsec.d/ocspcerts'
>> May 16 23:44:23 prvroute pluto[17773]: Changing to directory
>> '/etc/ipsec.d/crls'
>> May 16 23:44:23 prvroute pluto[17773]:   Warning: empty directory
>> May 16 23:44:37 prvroute pluto[17773]: added connection description
>> "prviewoshkosh"
>> May 16 23:44:58 prvroute pluto[17773]: listening for IKE messages
>> May 16 23:44:58 prvroute pluto[17773]: adding interface ppp0/ppp0
>> 216.127.203.221
>> May 16 23:44:58 prvroute pluto[17773]: adding interface eth0/eth0
>> 192.168.10.254
>> May 16 23:44:58 prvroute pluto[17773]: adding interface lo/lo 127.0.0.1
>> May 16 23:44:58 prvroute pluto[17773]: adding interface lo/lo ::1
>> May 16 23:44:58 prvroute pluto[17773]: loading secrets from
>> "/etc/ipsec.secrets"
>> May 16 23:44:58 prvroute pluto[17773]: "prviewoshkosh" #1: initiating
>> Main Mode
>> May 16 23:44:58 prvroute pluto[17773]: | no IKE algorithms for this
>> connection
>> May 16 23:44:58 prvroute pluto[17773]: ERROR: "prviewoshkosh" #1:
>> sendto on ppp0 to 216.170.138.63:500 failed in main_outI1. Errno 105:
>> No buffer space avai
>> lable
>> May 16 23:45:00 prvroute pluto[17773]: packet from
>> 216.170.138.63:500: received Vendor ID payload [Dead Peer Detection]
>> May 16 23:45:00 prvroute pluto[17773]: "prviewoshkosh" #2: responding
>> to Main Mode
>> May 16 23:45:00 prvroute pluto[17773]: "prviewoshkosh" #2: transition
>> from state STATE_MAIN_R0 to state STATE_MAIN_R1
>> May 16 23:45:00 prvroute pluto[17773]: ERROR: "prviewoshkosh" #2:
>> sendto on ppp0 to 216.170.138.63:500 failed in STATE_MAIN_R0. Errno
>> 105: No buffer space a
>> vailable
>> May 16 23:45:13 prvroute pluto[17773]: "prviewoshkosh" #1: received
>> Vendor ID payload [Dead Peer Detection]
>> May 16 23:45:13 prvroute pluto[17773]: "prviewoshkosh" #1: transition
>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>> May 16 23:45:13 prvroute pluto[17773]: ERROR: "prviewoshkosh" #1:
>> sendto on ppp0 to 216.170.138.63:500 failed in STATE_MAIN_I1. Errno
>> 105: No buffer space a
>> vailable
>> May 16 23:45:23 prvroute pluto[17773]: "prviewoshkosh" #1: discarding
>> duplicate packet; already STATE_MAIN_I2
>> May 16 23:45:23 prvroute pluto[17773]: ERROR: "prviewoshkosh" #1:
>> sendto on ppp0 to 216.170.138.63:500 failed in EVENT_RETRANSMIT.
>> Errno 105: No buffer spac
>> e available
>> May 16 23:45:28 prvroute pluto[17773]: "prviewoshkosh" #2: transition
>> from state STATE_MAIN_R1 to state STATE_MAIN_R2
>> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: Main mode
>> peer ID is ID_FQDN: '@oshkosh.advocap.org'
>> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: I did not
>> send a certificate because I do not have one.
>> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: transition
>> from state STATE_MAIN_R2 to state STATE_MAIN_R3
>> May 16 23:45:30 prvroute pluto[17773]: "prviewoshkosh" #2: sent MR3,
>> ISAKMP SA established
>> May 16 23:45:34 prvroute pluto[17773]: "prviewoshkosh" #3: responding
>> to Quick Mode
>> May 16 23:45:34 prvroute pluto[17773]: "prviewoshkosh" #3: transition
>> from state STATE_QUICK_R0 to state STATE_QUICK_R1
>> May 16 23:45:34 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: received Vendor ID payload [Dead Peer Detection]
>> May 16 23:45:34 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: initial Main Mode message received on
>> 216.127.203.221:500 but no connection has been
>> authorized
>> May 16 23:45:40 prvroute pluto[17773]: "prviewoshkosh" #3: transition
>> from state STATE_QUICK_R1 to state STATE_QUICK_R2
>> May 16 23:45:40 prvroute pluto[17773]: "prviewoshkosh" #3: IPsec SA
>> established {ESP=>0xf06c3853 <0xbe9f5c2e IPCOMP=>0x000083b6 <0x0000a55d}
>> May 16 23:45:42 prvroute pluto[17773]: "prviewoshkosh" #1: discarding
>> duplicate packet; already STATE_MAIN_I2
>> May 16 23:45:48 prvroute pluto[17773]: "prviewoshkosh" #1: I did not
>> send a certificate because I do not have one.
>> May 16 23:45:48 prvroute pluto[17773]: "prviewoshkosh" #1: transition
>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #1: Main mode
>> peer ID is ID_FQDN: '@oshkosh.advocap.org'
>> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #1: transition
>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #1: ISAKMP SA
>> established
>> May 16 23:45:50 prvroute pluto[17773]: "prviewoshkosh" #4: initiating
>> Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
>> May 16 23:45:56 prvroute pluto[17773]: "prviewoshkosh" #4: transition
>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>> May 16 23:45:56 prvroute pluto[17773]: "prviewoshkosh" #4: sent QI2,
>> IPsec SA established {ESP=>0x45f85a1d <0xe8857ed6 IPCOMP=>0x0000c8e3
>> <0x00004c4b}
>> May 16 23:46:14 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: received Vendor ID payload [Dead Peer Detection]
>> May 16 23:46:14 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: initial Main Mode message received on
>> 216.127.203.221:500 but no connection has been
>> authorized
>> May 16 23:46:54 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: received Vendor ID payload [Dead Peer Detection]
>> May 16 23:46:54 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: initial Main Mode message received on
>> 216.127.203.221:500 but no connection has been
>> authorized
>> May 16 23:47:34 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: received Vendor ID payload [Dead Peer Detection]
>> May 16 23:47:34 prvroute pluto[17773]: packet from
>> 216.170.136.82:500: initial Main Mode message received on
>> 216.127.203.221:500 but no connection has been
>>
>> 216.170.136.82 is the connection that did not add properly.
>>
>> Thanks for the help.
>>
>> John
>>
>>
>> Paul Wouters wrote:
>>
>>> On Mon, 16 May 2005, John McMonagle wrote:
>>>
>>>> There is 2.3.0-2 in debian unstable will that be good enough?
>>>
>>>
>>>
>>>
>>> I do not know what patches that includes. In the next few days, 2.3.2
>>> will be released. It is currently being tested by Xelerance.
>>>
>>> Paul
>>>
>>>> John
>>>>
>>>> Paul Wouters wrote:
>>>>
>>>>> On Mon, 16 May 2005, John McMonagle wrote:
>>>>>
>>>>>> Using openswan       2.2.0-4
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> You are running into racing IPsec SA's, so you're continiously
>>>>> rekeying,
>>>>> while during some of the time, your connection is up. This is a
>>>>> known issue
>>>>> with 2.2.x.
>>>>>
>>>>> Please upgrade to 2.3.1
>>>>>
>>>>> Paul
>>>>>
>>>>>> On dial up side using diald set to keep up the connection if
>>>>>> possible.
>>>>>> Scripts bring up ipsec after connecting and stop ipsec after
>>>>>> connection goes down.
>>>>>>
>>>>>> Checking the logs that seems to work properly
>>>>>>
>>>>>> Problem is it either doesn't come up or it sort of works with a
>>>>>> high load particularly on the dial up side.
>>>>>> Dial up sides load is about 3 although it pretty much idle, 
>>>>>> pluto is the top load.
>>>>>>
>>>>>> At best ping time is about 200ms can be a few seconds.
>>>>>>
>>>>>> Some times it works Ok.
>>>>>> Some times I need to do
>>>>>> ipsec auto --down prviewfondy
>>>>>> On both ends and start it on one end.
>>>>>>
>>>>>>
>>>>>> On the dsl side am getting message like this on auth.log. Link
>>>>>> came up at 3:38:
>>>>>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147672:
>>>>>> starting keying attempt 46 of an unlimited number
>>>>>> May 16 03:39:10 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> initiating Main Mode to replace #147672
>>>>>> May 16 03:47:40 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> ERROR: asynchronous network error report on eth1 for message to
>>>>>> 216.127.203.221 port 500, complainant 216.127.203.221: Connection
>>>>>> refused [errno 111, origin ICMP type 3 code 3 (not authen
>>>>>> ticated)]
>>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>>> responding to Main Mode
>>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>>> transition from state (null) to state STATE_MAIN_R1
>>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: Peer
>>>>>> ID is ID_FQDN: '@prview.advocap.org'
>>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675: I
>>>>>> did not send a certificate because I do not have one.
>>>>>> May 16 03:47:46 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>>> multiple ipsec.secrets entries with distinct secrets match endp
>>>>>> oints: first secret used
>>>>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675:
>>>>>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>>>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147675: sent
>>>>>> MR3, ISAKMP SA established
>>>>>> May 16 03:47:47 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:47:48 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>>> transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
>>>>>> May 16 03:47:53 fonroute pluto[5026]: "prviewfondy" #147676:
>>>>>> IPsec SA established {ESP=>0xbecc95f3 <0x2331a9f3 IPCOMP=>0x000
>>>>>> 0770e <0x00003fbf}
>>>>>> May 16 03:48:20 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>>>> May 16 03:48:30 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> discarding duplicate packet; already STATE_MAIN_I2
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: I
>>>>>> did not send a certificate because I do not have one.
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> multiple ipsec.secrets entries with distinct secrets match endp
>>>>>> oints: first secret used
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673: Peer
>>>>>> ID is ID_FQDN: '@prview.advocap.org'
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147673:
>>>>>> ISAKMP SA established
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147677:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147678:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147679:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147680:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147681:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147682:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147683:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>> ing isakmp#147673}
>>>>>> May 16 03:48:31 fonroute pluto[5026]: "prviewfondy" #147684:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {us
>>>>>>
>>>>>> Same from dialup side:
>>>>>> May 16 03:39:28 prvroute pluto[25943]: added connection
>>>>>> description "prviewfondy"
>>>>>> May 16 03:39:28 prvroute pluto[25943]: "prviewfondy" #2:
>>>>>> initiating Main Mode
>>>>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2:
>>>>>> transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2: I did
>>>>>> not send a certificate because I do not have one.
>>>>>> May 16 03:39:29 prvroute pluto[25943]: "prviewfondy" #2:
>>>>>> transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: Peer ID
>>>>>> is ID_FQDN: '@fondy.advocap.org'
>>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2:
>>>>>> transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #2: ISAKMP
>>>>>> SA established
>>>>>> May 16 03:39:30 prvroute pluto[25943]: "prviewfondy" #4:
>>>>>> initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using
>>>>>> isakmp#2}
>>>>>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4:
>>>>>> transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>>> May 16 03:39:35 prvroute pluto[25943]: "prviewfondy" #4: sent
>>>>>> QI2, IPsec SA established {ESP=>0x2331a9f3 <0xbecc95f3 IPCOMP=
>>>>>>
>>>>>>> 0x00003fbf <0x0000770e}
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7:
>>>>>> responding to Main Mode
>>>>>> May 16 03:40:03 prvroute pluto[25943]: "prviewfondy" #7:
>>>>>> transition from state (null) to state STATE_MAIN_R1
>>>>>> May 16 03:40:13 prvroute pluto[25943]: "prviewfondy" #7:
>>>>>> transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
>>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: Peer ID
>>>>>> is ID_FQDN: '@fondy.advocap.org'
>>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: I did
>>>>>> not send a certificate because I do not have one.
>>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7:
>>>>>> transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
>>>>>> May 16 03:40:14 prvroute pluto[25943]: "prviewfondy" #7: sent
>>>>>> MR3, ISAKMP SA established
>>>>>> May 16 03:40:21 prvroute pluto[25943]: "prviewfondy" #8:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #8:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:40:22 prvroute pluto[25943]: "prviewfondy" #9:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:23 prvroute pluto[25943]: "prviewfondy" #9:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:40:24 prvroute pluto[25943]: "prviewfondy" #10:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #10:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:40:25 prvroute pluto[25943]: "prviewfondy" #11:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #11:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:40:26 prvroute pluto[25943]: "prviewfondy" #12:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #12:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:40:27 prvroute pluto[25943]: "prviewfondy" #13:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #13:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> May 16 03:40:28 prvroute pluto[25943]: "prviewfondy" #14:
>>>>>> responding to Quick Mode
>>>>>> May 16 03:40:29 prvroute pluto[25943]: "prviewfondy" #14:
>>>>>> transition from state (null) to state STATE_QUICK_R1
>>>>>> .........................................
>>>>>> lot more of the same then
>>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #21: max
>>>>>> number of retransmissions (2) reached STATE_QUICK_R1
>>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #19: max
>>>>>> number of retransmissions (2) reached STATE_QUICK_R1
>>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #20: max
>>>>>> number of retransmissions (2) reached STATE_QUICK_R1
>>>>>> May 16 03:41:44 prvroute pluto[25943]: "prviewfondy" #82:
>>>>>> responding to Quick Mode
>>>>>> ..........................................
>>>>>> Get some of  these:
>>>>>> ay 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: Quick
>>>>>> Mode I1 message is unacceptable because it uses a previously
>>>>>> used Message ID 0xf23d36aa (perhaps this is a duplicated packet)
>>>>>> May 16 03:42:03 prvroute pluto[25943]: "prviewfondy" #7: sending
>>>>>> encrypted notification INVALID_MESSAGE_ID to 216.170.136.82
>>>>>> :500
>>>>>>
>>>>>>
>>>>>> ipsec.conf  on  dialup end:
>>>>>> conn prviewfondy
>>>>>>       authby=rsasig
>>>>>>        compress=yes
>>>>>>       # Left security gateway, subnet behind it, next hop toward it.
>>>>>>       leftid=@prview.advocap.org
>>>>>>       leftrsasigkey=0sAQN....wJ
>>>>>>       left=%defaultroute
>>>>>>       leftsubnet=192.168.10.0/24
>>>>>>       # Right security gateway, subnet behind it, next hop toward
>>>>>> it.
>>>>>>       right=tfondy.advocap.org
>>>>>>       rightid=@fondy.advocap.org
>>>>>>       rightrsasigkey=0x0103............7d
>>>>>>       rightsubnet=192.168.2.0/24
>>>>>>       auto=start
>>>>>>
>>>>>> ipsec.conf  on  dsl end:
>>>>>>
>>>>>> conn prviewfondy
>>>>>>       authby=rsasig
>>>>>>        compress=yes
>>>>>>       leftid=@prview.advocap.org
>>>>>>       leftrsasigkey=0sAQNu.........O/wJ
>>>>>>       left=hdstart.dotnet.com
>>>>>>       leftsubnet=192.168.10.0/24
>>>>>>       right=tfondy.advocap.org
>>>>>>       rightid=@fondy.advocap.org
>>>>>>       rightrsasigkey=0x0103a8..........7d
>>>>>>       rightsubnet=192.168.2.0/24
>>>>>>
>>>>>>      auto=start
>>>>>>
>>>>>> Have a bunch of vpn links the none dialups that are working fine.
>>>>>>
>>>>>> My wild guess is that the dsl side is confused by the link going
>>>>>> down.
>>>>>> Should I just be staring from one side?
>>>>>> Any suggestions.
>>>>>>
>>>>>> John
>>>>>>
>>>>
>>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users




More information about the Users mailing list