[Openswan Users] Win2k / XP (behind NAT) rekeying issue

Igmar Palsenberg maillist at jdimedia.nl
Thu May 26 15:54:29 CEST 2005


> I believe that once the 4500 is used that it should be used for
> re-keying too.

That's also what I read from the draft specs.

> Have you checked with tcpdump that the re-key is
> happening on 500 or is it from the logs?

Both say rekeying is done over UDP 500 -> UDP 500 :

13:48:46.762462 82.92.195.210.4500 > 82.92.211.218.4500:  udp 60 (DF)
13:48:46.777147 82.92.211.218.4500 > 82.92.195.210.4500:  udp 52 
13:49:05.925407 82.92.211.218.4500 > 82.92.195.210.4500:  udp 1
13:49:15.031292 82.92.195.210.isakmp > 82.92.211.218.isakmp: isakmp: phase 
1 I ident: [|sa] (DF)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This is the actual rekey, from the pluto debug log :

May 26 13:49:15 fw pluto[17536]: | sending 292 bytes for main_outI1 
through eth0:500 to 82.92.211.218:500:
<snip 292 bytes>

13:49:25.946546 82.92.211.218.4500 > 82.92.195.210.4500:  udp 1
13:49:45.954837 82.92.211.218.4500 > 82.92.195.210.4500:  udp 1
13:49:46.772463 82.92.195.210.4500 > 82.92.211.218.4500:  udp 60 (DF)
13:49:46.787285 82.92.211.218.4500 > 82.92.195.210.4500:  udp 52 
13:50:05.948618 82.92.211.218.4500 > 82.92.195.210.4500:  udp 1
13:50:25.274051 82.92.195.210.isakmp > 82.92.211.218.isakmp: isakmp: phase 
1 I ident: [|sa] (DF)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Retransmit from the pluto debug log :

 *time to handle event
May 26 13:50:25 fw pluto[17536]: | handling event EVENT_RETRANSMIT
May 26 13:50:25 fw pluto[17536]: | event after this is 
EVENT_PENDING_PHASE2 in 53 seconds
May 26 13:50:25 fw pluto[17536]: | processing connection 
l2tp-updated-win[2] 82.92.211.218
May 26 13:50:25 fw pluto[17536]: | sending 292 bytes for main_outI1 
through eth0:500 to 82.92.211.218:500:
<snip 292 bytes>

13:50:25.987964 82.92.211.218.4500 > 82.92.195.210.4500:  udp 1
13:50:35.278421 82.92.195.210.isakmp > 82.92.211.218.isakmp: isakmp: phase 
1 I ident: [|sa] (DF)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

retransmit :

May 26 13:50:35 fw pluto[17536]: | sending 292 bytes for EVENT_RETRANSMIT 
through eth0:500 to 82.92.211.218:500:

>  (My logs show the rekey
> happening/failing on 4500).   Is WinXP being silly and rekeying on
> 500?

No, OpenSwan is at fault I believe. Windows doesn't even notice the rekey, 
it starts to log again when OpenSWAN decides to kill the SA.

The full logs + TCP dumps + Win2k IKE logs are available at request.


Regards,


	Igmar


More information about the Users mailing list