[Openswan Users] problems with Multitech RouteFinder gateways

Paul Wouters paul at xelerance.com
Wed Oct 26 21:08:30 CEST 2005 

On Wed, 26 Oct 2005, Leonardo Rodrigues Magalhães wrote:

>    I need to establish an IPSec tunnel with two multitech gateways, one
> RouteFinder 550VPN and other RouteFinder 560VPN.
>
>    Well ...... VPNs were configured in openswan and multitech using IKE and
> AES-256, PFS disabled and compression enabled on ipsec.conf. Multitech doesnt
> have compression option, but seems to accept it. VPNs worked, but im having
> some strange problems ....

>    When I tried using 'auto=add' to get openswan only responding and not
> initiating connection, letting multitech initiate the tunnel i got several:
>
> Oct 26 09:51:22 correio pluto[8519]: "brasilia" #4: OAKLEY_KEY_LENGTH
> attribute not preceded by OAKLEY_ENCRYPTION_ALGORITHM attribute.  Attribute
> OAKLEY_KEY_LENGTH

I suggest you report this to the vendor.

>    I enabled DEBUG and noticed that multitech is sending the key length = 256
> without sending the encription algorithm, just as stated by the error. Tunnel
> was never established. Anyway, I changed auto=add to auto=start and after some
> errors, the tunnel seems to get established and works FINE. This is surely a
> multitech bug BUT i could workaround it having auto=start.
>
>    But even with VPN established and working, i keep getting this message 2 or
> even 3 times each minute:
>
> Oct 26 10:11:40 correio pluto[8866]: "brasilia" #119: max number of
> retransmissions (2) reached STATE_QUICK_I1
> Oct 26 10:11:40 correio pluto[8866]: "brasilia" #119: starting keying attempt
> 17 of an unlimited number
> Oct 26 10:11:40 correio pluto[8866]: "brasilia" #127: initiating Quick Mode
> PSK+ENCRYPT+COMPRESS+TUNNEL+UP to replace #119 {using isakmp#1}

It seems openswan is still negotiating. Perhaps the other end is still trying
to initiate from your first attempt using the remote end as initiator?

Also, you should ensure that openswan always rekeys before the other end, or
you will hit your original bug again. You likely need to lower the keylife=
and ipseckeylife= options to ensure that openswan stays an initiator.

>    I've tried enabling PFS/disabling compression but it didnt changed the
> behavior. I have tried changing the encription algorithm and key lengths, but
> it didnt changed the behavior. Both Multitech gateways are with latest
> firmware available from multitech site.

Please report this to the vendor.

Paul
-- 

"Happiness is never grand"

	--- Mustapha Mond, World Controller (Brave New World)

More information about the Users mailing list