[Openswan Users]
Andy Gay
andy at andynet.net
Tue Aug 1 02:21:02 CEST 2006
On Tue, 2006-08-01 at 00:52 +0000, arno van der walt wrote:
> Hi
>
> We have in the order of 40 VPN tunnels from a Pix firewall to various
> Openswan boxes. Since our initial roll out we've seen that the tunnel would
> drop intermittently. We wrote wrapper scripts and cron'd it to bounce the
> tunnels when they go down by monitoring file build up and icmp timeouts,
> redirects etc.
>
> After about a year of having these VPN tunnels in production we're trying to
> get to bottom of the VPN drops rather than applying band aids.
>
> The Openswan box is 1.1.1.1 and the Pix is 2.2.2.2. After 75% of the IPSec
> SA timer expires, the pix initiates a rekey. In this particular scenario the
> Openswan box does not rekey but keeps its SA's active which effectively
> renders the tunnels useless, since the two devices cannot establish or agree
> upon the SA.
So are you saying it's OK if Openswan initiates, but it fails if the PIX
initiates? Sounds like a firewall may be getting in your way. Do you
have any iptables rules?
>
> We've dropped the IPSec SA timer down to one hour and our tunnel dropped 45
> minutes into every hour as the Pix tried to rekey. It is currently set to
> 28800 for bith SA's.
>
> We're running Fedora Core 4, Openswan 2.4.4, kernel 2.6.17.
>
> Take a look at the DPD, it just keeps on incrementing, almost as if DPD is
> not interopreable.
Maybe you're blocking the DPD traffic? Do you have DPD enabled on the
Openswan box? Can we see logs and configs from it?
(Actually, it seems like you have plutodebug=all set - please don't post
logs in that case....)
>
> Would upgrading to 2.4.5 with the DPD enhancements help? We're fairly open
> to suggestion at this stage.
>
> =======================================================
> Openswan
Is there any way you can stop your mail client from wrapping these
lines?
> ---------------------------------------------------------------------------------------------------------------------------
> [root at bob ~]# /usr/sbin/ipsec auto --status
> 000 interface lo/lo ::1
> 000 interface lo/lo 127.0.0.1
> 000 interface eth0/eth0 10.1.254.126
> 000 %myid = (none)
> 000 debug
> raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509
This is plutodebug=all, right?. Not good for a production server.
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
> keysizemax=448
> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
> keysizemax=0
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
> 000
> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> keydeflen=192
> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000
> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,11,36}
> trans={0,11,336} attrs={0,11,224}
> 000
> 000 "tunnelipsec":
> 0.0.0.0/0===10.1.254.126---10.1.254.65...2.2.2.3---2.2.2.2===10.213.27.0/24;
> erouted; eroute owner: #37
> 000 "tunnelipsec": srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "tunnelipsec": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0
> 000 "tunnelipsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 0,24;
> interface: eth0;
> 000 "tunnelipsec": newest ISAKMP SA: #35; newest IPsec SA: #37;
> 000 "tunnelipsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
> 000 "tunnelipsec": ESP algorithms wanted: 3_000-1, flags=-strict
> 000 "tunnelipsec": ESP algorithms loaded: 3_000-1, flags=-strict
> 000 "tunnelipsec": ESP algorithm newest: 3DES_0-HMAC_MD5;
> pfsgroup=<Phase1>
> 000
> 000 #37: "tunnelipsec":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 2353s; newest IPSEC; eroute owner
> 000 #37: "tunnelipsec" esp.3fc41a81 at 2.2.2.2 esp.c85a4c49 at 10.1.254.126
> tun.0 at 2.2.2.2 tun.0 at 10.1.254.126
> 000 #35: "tunnelipsec":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 27590s; newest ISAKMP; lastdpd=311s(seq in:0 out:0)
> 000
>
> =======================================================
> Pix log
> ---------------------------------------------------------------------------------------------------------------------------
> Jul 31 14:15:03 2.2.2.2 Jul 31 2006 14:16:25: %PIX-6-302015: Built outbound
> UDP connection 30673128 for outside:1.1.1.1/500 (1.1.1.1/500) to NP Identity
> Ifc:2.2.2.2/500 (2.2.2.2/500)
> Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-3-713123: Group =
> 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting
> connection (keepalive type: DPD)
> Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-6-602304: IPSEC: An
> inbound LAN-to-LAN SA (SPI= 0x72F45DCB) between 2.2.2.2 and 1.1.1.1 (user=
> 1.1.1.1) has been deleted.
> Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-6-602304: IPSEC: An
> outbound LAN-to-LAN SA (SPI= 0xCE19C3AE) between 2.2.2.2 and 1.1.1.1 (user=
> 1.1.1.1) has been deleted.
> Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-3-713902: Group =
> 1.1.1.1, IP = 1.1.1.1, Removing peer from peer table failed, no match!
> Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-4-713903: Group =
> 1.1.1.1, IP = 1.1.1.1, Error: Unable to remove PeerTblEntry
> Jul 31 14:15:09 2.2.2.2 Jul 31 2006 14:16:31: %PIX-4-113019: Group =
> 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session
> Type: IPSecLAN2LAN, Duration: 0h:24m:19s, Bytes xmt: 642337, Bytes rcv:
> 3623975, Reason: Lost Service
> Jul 31 14:15:15 2.2.2.2 Jul 31 2006 14:16:37: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:15:47 2.2.2.2 Jul 31 2006 14:17:09: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:15:47 2.2.2.2 Jul 31 2006 14:17:09: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:15:47 2.2.2.2 Jul 31 2006 14:17:09: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:16:19 2.2.2.2 Jul 31 2006 14:17:41: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:16:19 2.2.2.2 Jul 31 2006 14:17:41: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:16:19 2.2.2.2 Jul 31 2006 14:17:41: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:16:51 2.2.2.2 Jul 31 2006 14:18:13: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:16:51 2.2.2.2 Jul 31 2006 14:18:13: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:16:51 2.2.2.2 Jul 31 2006 14:18:13: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:17:23 2.2.2.2 Jul 31 2006 14:18:45: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:17:23 2.2.2.2 Jul 31 2006 14:18:45: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:17:23 2.2.2.2 Jul 31 2006 14:18:45: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:17:55 2.2.2.2 Jul 31 2006 14:19:17: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:17:55 2.2.2.2 Jul 31 2006 14:19:17: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:17:56 2.2.2.2 Jul 31 2006 14:19:17: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:18:28 2.2.2.2 Jul 31 2006 14:19:49: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:18:28 2.2.2.2 Jul 31 2006 14:19:49: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:18:28 2.2.2.2 Jul 31 2006 14:19:49: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:19:00 2.2.2.2 Jul 31 2006 14:20:21: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:19:00 2.2.2.2 Jul 31 2006 14:20:21: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:19:00 2.2.2.2 Jul 31 2006 14:20:21: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:19:32 2.2.2.2 Jul 31 2006 14:20:53: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:19:32 2.2.2.2 Jul 31 2006 14:20:53: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:19:32 2.2.2.2 Jul 31 2006 14:20:54: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:20:04 2.2.2.2 Jul 31 2006 14:21:26: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:20:04 2.2.2.2 Jul 31 2006 14:21:26: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:20:04 2.2.2.2 Jul 31 2006 14:21:26: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:20:36 2.2.2.2 Jul 31 2006 14:21:58: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:20:36 2.2.2.2 Jul 31 2006 14:21:58: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:20:36 2.2.2.2 Jul 31 2006 14:21:58: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:21:08 2.2.2.2 Jul 31 2006 14:22:30: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:21:08 2.2.2.2 Jul 31 2006 14:22:30: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:21:08 2.2.2.2 Jul 31 2006 14:22:30: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:21:40 2.2.2.2 Jul 31 2006 14:23:02: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:21:40 2.2.2.2 Jul 31 2006 14:23:02: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:21:40 2.2.2.2 Jul 31 2006 14:23:02: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:22:12 2.2.2.2 Jul 31 2006 14:23:34: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:22:12 2.2.2.2 Jul 31 2006 14:23:34: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:22:12 2.2.2.2 Jul 31 2006 14:23:34: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:22:44 2.2.2.2 Jul 31 2006 14:24:06: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:22:44 2.2.2.2 Jul 31 2006 14:24:06: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:22:45 2.2.2.2 Jul 31 2006 14:24:07: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:23:17 2.2.2.2 Jul 31 2006 14:24:39: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:23:17 2.2.2.2 Jul 31 2006 14:24:39: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:23:17 2.2.2.2 Jul 31 2006 14:24:39: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:23:49 2.2.2.2 Jul 31 2006 14:25:11: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:23:49 2.2.2.2 Jul 31 2006 14:25:11: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:23:50 2.2.2.2 Jul 31 2006 14:25:11: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:24:22 2.2.2.2 Jul 31 2006 14:25:43: %PIX-3-713902: IP = 1.1.1.1,
> Removing peer from peer table failed, no match!
> Jul 31 14:24:22 2.2.2.2 Jul 31 2006 14:25:43: %PIX-4-713903: IP = 1.1.1.1,
> Error: Unable to remove PeerTblEntry
> Jul 31 14:24:22 2.2.2.2 Jul 31 2006 14:25:44: %PIX-5-713041: IP = 1.1.1.1,
> IKE Initiator: New Phase 1, Intf 6, IKE Peer 1.1.1.1 local Proxy Address
> 10.213.27.0, remote Proxy Address 0.0.0.0, Crypto map (outside_map)
> Jul 31 14:24:44 2.2.2.2 Jul 31 2006 14:26:05: %PIX-5-713904: IP = 1.1.1.1,
> Received encrypted packet with no matching SA, dropping
> Jul 31 14:24:45 2.2.2.2 Jul 31 2006 14:26:06: %PIX-5-713904: IP = 1.1.1.1,
> Received encrypted packet with no matching SA, dropping
> Jul 31 14:25:00 2.2.2.2 Jul 31 2006 14:26:21: %PIX-4-713903: Group =
> 1.1.1.1, IP = 1.1.1.1, Freeing previously allocated memory for
> authorization-dn-attributes
> Jul 31 14:25:00 2.2.2.2 Jul 31 2006 14:26:21: %PIX-6-113009: AAA retrieved
> default group policy (DfltGrpPolicy) for user = 1.1.1.1
> Jul 31 14:25:00 2.2.2.2 Jul 31 2006 14:26:21: %PIX-3-713119: Group =
> 1.1.1.1, IP = 1.1.1.1, PHASE 1 COMPLETED
> Jul 31 14:25:01 2.2.2.2 Jul 31 2006 14:26:23: %PIX-5-713201: Group =
> 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. Retransmitting
> last packet.
> Jul 31 14:25:01 2.2.2.2 Jul 31 2006 14:26:23: %PIX-6-713905: Group =
> 1.1.1.1, IP = 1.1.1.1, P1 Retransmit msg dispatched to MM FSM
> Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-6-602303: IPSEC: An
> outbound LAN-to-LAN SA (SPI= 0xC85A4C49) between 2.2.2.2 and 1.1.1.1 (user=
> 1.1.1.1) has been created.
> Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-5-713049: Group =
> 1.1.1.1, IP = 1.1.1.1, Security negotiation complete for LAN-to-LAN Group
> (1.1.1.1) Responder, Inbound SPI = 0x3fc41a81, Outbound SPI = 0xc85a4c49
> Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-6-602303: IPSEC: An
> inbound LAN-to-LAN SA (SPI= 0x3FC41A81) between 2.2.2.2 and 1.1.1.1 (user=
> 1.1.1.1) has been created.
> Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-6-713905: Group =
> 1.1.1.1, IP = 1.1.1.1, Starting P2 Rekey timer to expire in 3056 seconds
> Jul 31 14:25:11 2.2.2.2 Jul 31 2006 14:26:33: %PIX-5-713120: Group =
> 1.1.1.1, IP = 1.1.1.1, PHASE 2 COMPLETED (msgid=e62e3d43)
> Jul 31 14:25:12 2.2.2.2 Jul 31 2006 14:26:34: %PIX-5-713201: Group =
> 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. No last packet to
> retransmit.
> Jul 31 14:25:23 2.2.2.2 Jul 31 2006 14:26:45: %PIX-5-713136: IP = 1.1.1.1,
> IKE session establishment timed out [MM_WAIT_MSG4], aborting!
> Jul 31 14:25:32 2.2.2.2 Jul 31 2006 14:26:53: %PIX-5-713201: Group =
> 1.1.1.1, IP = 1.1.1.1, Duplicate Phase 1 packet detected. No last packet to
> retransmit.
> Jul 31 14:27:36 2.2.2.2 Jul 31 2006 14:28:58: %PIX-6-302016: Teardown UDP
> connection 30673128 for outside:1.1.1.1/500 to NP Identity Ifc:2.2.2.2/500
> duration 0:12:32 bytes 28360
>
>
>
> Session Type: LAN-to-LAN Detailed
>
> Connection : 1.1.1.1
> Index : 33 IP Addr : 1.1.1.1
> Protocol : IPSecLAN2LAN Encryption : 3DES
> Hashing : MD5
> Bytes Tx : 798078 Bytes Rx : 128975
> Login Time : 14:26:21 UTC Mon Jul 31 2006
> Duration : 0h:05m:21s
> Filter Name :
>
> IKE Sessions: 1 IPSec Sessions: 1
>
> IKE:
> Session ID : 1
> UDP Src Port : 500 UDP Dst Port : 500
> IKE Neg Mode : Main Auth Mode : preSharedKeys
> Encryption : 3DES Hashing : MD5
> Rekey Int (T): 28800 Seconds Rekey Left(T): 28480 Seconds
> D/H Group : 2
>
> IPSec:
> Session ID : 2
> Local Addr : 10.213.27.0/255.255.255.0/0/0
> Remote Addr : 0.0.0.0/0.0.0.0/0/0
> Encryption : 3DES Hashing : MD5
> Encapsulation: Tunnel PFS Group : 2
> Rekey Int (T): 3600 Seconds Rekey Left(T): 3292 Seconds
> Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
> Bytes Tx : 798078 Bytes Rx : 128975
> Pkts Tx : 1771 Pkts Rx : 1597
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list