[Openswan Users] IPSec, Windows XP/2000 and Dead Peer Detection

Andrej Trobentar andrej.trobentar at rikom.si
Thu Oct 13 09:36:07 CEST 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jacco de Leeuw wrote:
>
> At least, that is the theory. Are you using kernel 2.4 by any chance?
> I have had some issues with kernel 2.4 not tearing down the IPsec SAs.
> But I have not used kernel 2.4 much since I have upgraded.

Yes, I'm using kernel 2.4.31. I can't upgrade to any other kernel,
because I have a Sundance Multiport ethernet card and the module works
only under this version - under others it locks the server :(

>> Do you have any ideas why my static tunnels don't work when I
>>compiled and used openswan 2.4.2dr2?
>
> No, I have not yet used that version. From your logs its looks like
> one side or the other is not receiving packets. What if you use a
> machine to sniff the connection between them?

The packets are going to the other machine, here's the log of the other
side of the tunnel (openswan 2.3.1) :

"rikom-krgora-lan_vzp" #215: received Delete SA payload: replace IPSEC
State #218 in 10 seconds
fw pluto[2618]: received and ignored informational message
"rikom-krgora-lan_vzp" #215: received Delete SA payload: replace IPSEC
State #216 in 10 seconds
pluto[2618]: "rikom-krgora-lan_vzp" #215: received and ignored
informational message
"rikom-krgora-lan_vzp" #215: received Delete SA payload: replace IPSEC
State #217 in 10 seconds
fw pluto[2618]: "rikom-krgora-lan_vzp" #215: received and ignored
informational message
pluto[2618]: "rikom-krgora-lan_vzp" #215: received Delete SA payload:
deleting ISAKMP State #215
pluto[2618]: packet from 193.2.211.10:500: received and ignored
informational message
pluto[2618]: "rikom-krgora-lan_vzp" #219: initiating Main Mode
pluto[2618]: "rikom-krgora-lan_rikom" #218: IPsec SA expired (LATEST!)
pluto[2618]: "rikom-krgora-lan_brm" #216: IPsec SA expired (LATEST!)
pluto[2618]: "rikom-krgora-lan_vzp" #217: IPsec SA expired (LATEST!)
pluto[2618]: "rikom-krgora-lan_vzp" #219: max number of retransmissions
(2) reached STATE_MAIN_I1.  No response (or no acceptable response) to
our first IKE message


Is it possible that openswan 2.4.x and openswan 2.3.x are not
"compatible"? Maybe some other ideas?

The funny thing is that if I put the openswan 2.3.1 back again my static
tunnels start to work.

- --
Greetings from Maribor,

	Andrej.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDTgBXVd/NU2yFfAoRAkkjAKDAmDgSERaJuVapLHTHNZyCpxPqNgCdE3H1
c92UDqdAO+pCPCvMyKEeWfM=
=yQ6p
-----END PGP SIGNATURE-----


More information about the Users mailing list