[Openswan Users] IPSEC 2.2.0 restarts all tunnels every 10 minutes

Paul Wouters paul at xelerance.com
Wed Sep 28 17:12:59 CEST 2005


On Wed, 28 Sep 2005, foren titze wrote:

> Subject: [Openswan Users] IPSEC 2.2.0 restarts all tunnels every 10 minutes

(only putting your question in the subject line is not very obvious.....)

> Hello users,
>
> I have a strange Problem:
>
> Here my logfile:
> --
> Sep 28 12:02:09 GATEWAY pluto[8173]: "windoof--vogelsanger1" #12370:
> initiating Main Mode to replace #12340
> Sep 28 12:02:09 GATEWAY pluto[8173]: "windoof--vogelsanger1" #12370: ISAKMP SA
> established

so you initiate one connection.

> Sep 28 12:06:08 GATEWAY pluto[8173]: "catfish--gate2--win" #12371: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #12369 {using isakmp#12367}
> Sep 28 12:06:08 GATEWAY pluto[8173]: "catfish--gate2--unix" #12372: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #12368 {using isakmp#12367}
> Sep 28 12:06:08 GATEWAY pluto[8173]: "catfish--gate2--unix" #12372: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Sep 28 12:06:08 GATEWAY pluto[8173]: "catfish--gate2--unix" #12372: sent QI2,
> IPsec SA established {ESP=>0x08425f1a <0xa187a6fd}
> Sep 28 12:06:08 GATEWAY pluto[8173]: "catfish--gate2--win" #12371: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Sep 28 12:06:08 GATEWAY pluto[8173]: "catfish--gate2--win" #12371: sent QI2,
> IPsec SA established {ESP=>0x83c68131 <0x9865ead9}

And another connection.

> Sep 28 12:10:37 GATEWAY pluto[8173]: packet from xxx.xxx.114.2:500: ignoring
> informational payload, type INVALID_COOKIE
> Sep 28 12:10:37 GATEWAY pluto[8173]: packet from xxx.xxx.114.2:500: received
> and ignored informational message
> Sep 28 12:10:37 GATEWAY pluto[8173]: "catfish--gate2--unix" #12373: responding
> to Main Mode

Here you are responding, and by the looks of it, the other end didn't really 
settle on the first established tunnel. It looks like both ends might be
racing to setup the tunnel.

> Is there a Bug in IPSEC 2.2.0 with the Kernel 2.6.11 on Debian Stable?

I believe we did have some instances racing somewhere around 2.1.x and 2.2.x. Either
upgrade to 2.3.x or wait a few days for Rene to finish putting in 2.4.x.

Paul


More information about the Users mailing list