[Openswan Users] problems with Multitech RouteFinder gateways

Leonardo Rodrigues Magalhães leolistas at solutti.com.br
Wed Oct 26 12:28:23 CEST 2005 

    Hello Guys,

    I've configured OpenSWAN 2.4.0 built from SRPMS from 
http://www.openswan.org/download/binaries/fedora/3/SRPMS/ and i'm having 
some problems ..... 

    I need to establish an IPSec tunnel with two multitech gateways, one 
RouteFinder 550VPN and other RouteFinder 560VPN.

    Well ...... VPNs were configured in openswan and multitech using IKE 
and AES-256, PFS disabled and compression enabled on ipsec.conf. 
Multitech doesnt have compression option, but seems to accept it. VPNs 
worked, but im having some strange problems ....

    This is a snip from my ipsec.conf

    left = openswan, right = MultiTech RouteFinder 550VPN

conn brasilia
        type=tunnel
        authby=secret
        left=my.left.external.ip
        leftnexthop=my.left.gateway
        leftsubnet=10.0.0.0/24
        right=my.right.external.ip
        rightnexthop=my.right.gateway
        rightsubnet=10.10.10.0/24
        ike=aes256-sha1-modp1024
        pfs=no
        compress=yes
        auto=start

    When I tried using 'auto=add' to get openswan only responding and 
not initiating connection, letting multitech initiate the tunnel i got 
several:

Oct 26 09:51:22 correio pluto[8519]: "brasilia" #4: OAKLEY_KEY_LENGTH 
attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  
Attribute OAKLEY_KEY_LENGTH

    I enabled DEBUG and noticed that multitech is sending the key length 
= 256 without sending the encription algorithm, just as stated by the 
error. Tunnel was never established. Anyway, I changed auto=add to 
auto=start and after some errors, the tunnel seems to get established 
and works FINE. This is surely a multitech bug BUT i could workaround it 
having auto=start.

    But even with VPN established and working, i keep getting this 
message 2 or even 3 times each minute:

Oct 26 10:11:40 correio pluto[8866]: "brasilia" #119: max number of 
retransmissions (2) reached STATE_QUICK_I1
Oct 26 10:11:40 correio pluto[8866]: "brasilia" #119: starting keying 
attempt 17 of an unlimited number
Oct 26 10:11:40 correio pluto[8866]: "brasilia" #127: initiating Quick 
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP to replace #119 {using isakmp#1}

Oct 26 10:11:46 correio pluto[8866]: "brasilia" #122: max number of 
retransmissions (2) reached STATE_QUICK_I1
Oct 26 10:11:46 correio pluto[8866]: "brasilia" #122: starting keying 
attempt 17 of an unlimited number
Oct 26 10:11:46 correio pluto[8866]: "brasilia" #128: initiating Quick 
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP to replace #122 {using isakmp#1}

Oct 26 10:12:50 correio pluto[8866]: "brasilia" #126: max number of 
retransmissions (2) reached STATE_QUICK_I1
Oct 26 10:12:50 correio pluto[8866]: "brasilia" #126: starting keying 
attempt 18 of an unlimited number
Oct 26 10:12:50 correio pluto[8866]: "brasilia" #134: initiating Quick 
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP to replace #126 {using isakmp#1}

Oct 26 10:12:56 correio pluto[8866]: "brasilia" #128: max number of 
retransmissions (2) reached STATE_QUICK_I1
Oct 26 10:12:56 correio pluto[8866]: "brasilia" #128: starting keying 
attempt 18 of an unlimited number
Oct 26 10:12:56 correio pluto[8866]: "brasilia" #136: initiating Quick 
Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP to replace #128 {using isakmp#1}

    tcpdump shows that I'm (openswan) sending several phase 2 packets:

10:11:40.435421 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]
10:11:40.435958 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]

10:11:46.434957 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]
10:11:48.440899 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]

10:12:50.439236 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]
10:12:50.448789 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]

10:12:56.456122 IP my.openswan.ip.isakmp > multitech.rf550vpn.ip.isakmp: 
isakmp: phase 2/others ? oakley-quick[E]


    I've tried enabling PFS/disabling compression but it didnt changed 
the behavior. I have tried changing the encription algorithm and key 
lengths, but it didnt changed the behavior. Both Multitech gateways are 
with latest firmware available from multitech site.


    Well ...... after the long mail .... have anyone experienced problem 
like this ? have anyone successfully connected with Multitech 
RouteFinder gateways without these annoying messages/errors ?? Any 
configuration change that I should try ??

-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	gertrudes at solutti.com.br
	My SPAMTRAP, do not email it

More information about the Users mailing list