[Openswan Users] Openswan and Nortel Switch deleting ISAKMP

Peter McGill petermcgill at goco.net
Tue Aug 1 09:23:53 EDT 2006


I've had this problem now for about 8 months.

At varing times and for varing lengths of time,
no traffic may pass through the connection.
If I wait, it fixes itself after a while, or if I
reset Openswan the problem is fixed right away.

I have searched the list archives, and posted
before, but have not yet found a solution.

It would seem that the problem is bracketed by:
Jul 27 16:21:44 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: received Delete SA payload:
deleting ISAKMP State #444
Jul 27 16:21:44 sheridan pluto[1671]: packet from 199.212.129.226:500:
received and ignored informational message
...and...
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0013419d <0xb8629178 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #447 {using isakmp#448}
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2

Has anyone else experienced this? How do I fix it?

I'm presently running:
Linux Openswan 2.4.4 (klips)
Linux Kernel 2.4.31

ipsec.conf:
version 2.0

config setup
        interfaces=%defaultroute
        uniqueids=yes

include /etc/ipsec.d/examples/no_oe.conf

conn sunoco-172-16-19-net-to-london-office-net
        left=66.11.74.93
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=sunoco-toronto
        rightsubnet=172.16.0.0/14
        auto=start

conn sunoco-172-26-net-to-london-office-net
        left=66.11.74.93
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=sunoco-toronto
        rightsubnet=172.26.0.0/16
        auto=start

conn sunoco-192-168-net-to-london-office-net
        left=66.11.74.93
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=sunoco-toronto
        rightsubnet=192.168.0.0/16
        auto=start

# conn sunoco-24-net-to-london-office-net
#       left=66.11.74.93
#       leftnexthop=%defaultroute
#       leftsubnet=172.21.0.0/16
#       alsoflip=sunoco-toronto
#       rightsubnet=172.24.0.0/16
#       auto=start

conn sunoco-toronto
        left=199.212.129.226
        leftnexthop=%defaultroute
        # leftid=@toronto.sunoco.ca
        also=sunoco

# conn sunoco-calgary
#       left=199.85.9.226
#       leftnexthop=%defaultroute
#       # leftid=@calgary.sunoco.ca
#       also=sunoco

conn sunoco
        # keyexchange=ike
        # aggrmode=no
        # auth=esp
        # 3des-md5-modp1024
        ike=3des
        esp=3des
        # pfs=yes
        # ikelifetime=1.0h
        # keylife=8.0h
        keylife=1.0h
        # rekey=yes
        # compress=yes
        compress=no
        # keyingtries=%forever
        # dpddelay=30
        # dpdtimeout=120
        # dpdaction=hold
        authby=secret

I believe the Nortel settings are as follows:
(But am not 100% sure, as it's not my switch,
and the owners are not good at replying to me.)
Nortel Contivity VPN Switch 1700?
Group:
Conectivity:
Nailed Up: Enabled
Access Hours: Anytime
Idle Timeout: 00:00:00
Forced Logoff: 00:00:00
IPSec:
Encryption:
- ESP - Triple DES with MD5 Integrity: Enabled
IKE Encryption and Diffie-Hellman Group: Triple DES with Group 2 (1024-bit
prime)
Aggressive Mode ISAKMP Initial Contact Payload: Disabled
Perfect Forward Secrecy: Enabled
Compression: Disabled
Rekey Timeout: 01:00:00
Rekey Data Count: (None)
Connection:
Control Tunnel: Enabled/Disabled?
Tunnel Type: IPSec
Connection Type: Sunoco - Responder, Fromet - Initiator
Authentication: Text Pre-Shared Key

Fromet:
IP: 66.11.74.93
Net: 172.21.0.0/16 (172.21.0.0 255.255.0.0)
Sunoco:
IP: 199.212.129.226
Net(s): 172.16.0.0/14 (172.16.0.0 255.252.0.0), 172.26.0.0/16 (172.26.0.0
255.255.0.0), 192.168.0.0/16 (192.168.0.0 255.255.0.0)

I've been running a test of the connection.
Every 5 minutes between 8 and 6, Mon to Fri,
I connect to a webserver on the other side.
sunsbc (172.26.36.204)

I have logged the results, as well as the connection logs for
all of July.

Here is a small relavent portion:
Thu Jul 27 16:05:01 EDT 2006 Connected Successfully to sunsbc.
Thu Jul 27 16:10:01 EDT 2006 Connected Successfully to sunsbc.
Thu Jul 27 16:15:02 EDT 2006 Connected Successfully to sunsbc.
Thu Jul 27 16:20:02 EDT 2006 Connected Successfully to sunsbc.
Thu Jul 27 16:26:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 16:31:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 16:36:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 16:41:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 16:46:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 16:51:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 16:56:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 17:01:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 17:06:01 EDT 2006 Failed to Connect to sunsbc.
Thu Jul 27 17:10:46 EDT 2006 Connected Successfully to sunsbc.
Thu Jul 27 17:15:02 EDT 2006 Connected Successfully to sunsbc.
...
Mon Jul 31 08:25:01 EDT 2006 Connected Successfully to sunsbc.
Mon Jul 31 08:30:01 EDT 2006 Connected Successfully to sunsbc.
Mon Jul 31 08:35:02 EDT 2006 Connected Successfully to sunsbc.
Mon Jul 31 08:40:02 EDT 2006 Connected Successfully to sunsbc.
Mon Jul 31 08:45:02 EDT 2006 Connected Successfully to sunsbc.
Mon Jul 31 08:51:01 EDT 2006 Failed to Connect to sunsbc.
Mon Jul 31 08:56:01 EDT 2006 Failed to Connect to sunsbc.
Mon Jul 31 09:01:01 EDT 2006 Failed to Connect to sunsbc.
Mon Jul 31 09:06:01 EDT 2006 Failed to Connect to sunsbc.
Mon Jul 31 09:10:11 EDT 2006 Connected Successfully to sunsbc.
Mon Jul 31 09:15:05 EDT 2006 Connected Successfully to sunsbc.

Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: I did not send a certificate
because I do not have one.
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: ignoring unknown Vendor ID
payload [424e455300000005]
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: initiating Main Mode to
replace #428
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: received Vendor ID payload
[Dead Peer Detection]
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 27 16:21:44 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: received Delete SA payload:
deleting ISAKMP State #444
Jul 27 16:21:44 sheridan pluto[1671]: packet from 199.212.129.226:500:
received and ignored informational message
Jul 27 16:23:37 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #447: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x001b790a <0xb862916f xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 16:23:37 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #447: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #431 {using isakmp#428}
Jul 27 16:23:37 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #447: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 27 16:24:20 sheridan pluto[1671]: packet from 199.212.129.226:500:
Informational Exchange is for an unknown (expired?) SA
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: ignoring unknown Vendor ID
payload [424e455300000005]
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: initiating Main Mode
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: received Vendor ID payload
[Dead Peer Detection]
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: I did not send a certificate
because I do not have one.
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #449: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0005bd4d <0xb8629170 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #449: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#448}
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #449: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: STATE_QUICK_R2: IPsec SA
established {ESP=>0x000f69e4 <0xb8629171 xfrm=AES_0-HMAC_SHA1 NATD=none
DPD=none}
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: responding to Quick Mode
{msgid:b74fc8ea}
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0013419d <0xb8629178 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #447 {using isakmp#448}
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
...
Jul 31 08:24:18 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #408: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x00233fe4 <0xfb351971 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 31 08:24:18 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #408: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #398 {using isakmp#400}
Jul 31 08:24:18 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #408: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 31 08:35:53 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #410: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0006f2a7 <0xfb351972 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 31 08:35:53 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #410: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #403 {using isakmp#400}
Jul 31 08:35:53 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #410: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: I did not send a certificate
because I do not have one.
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: ignoring unknown Vendor ID
payload [424e455300000005]
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: initiating Main Mode to
replace #400
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: received Vendor ID payload
[Dead Peer Detection]
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 31 08:36:26 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 31 08:48:07 sheridan pluto[1671]: packet from 199.212.129.226:500:
Informational Exchange is for an unknown (expired?) SA
Jul 31 08:51:38 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #411: received Delete SA payload:
deleting ISAKMP State #411
Jul 31 08:51:38 sheridan pluto[1671]: packet from 199.212.129.226:500:
received and ignored informational message
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: I did not send a certificate
because I do not have one.
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: STATE_MAIN_R1: sent MR1,
expecting MI2
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: STATE_MAIN_R2: sent MR2,
expecting MI3
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: responding to Main Mode
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 31 08:58:56 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #418: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 31 08:58:56 sheridan pluto[1671]: packet from 199.212.129.226:500:
ignoring unknown Vendor ID payload [424e455300000005]
Jul 31 08:58:56 sheridan pluto[1671]: packet from 199.212.129.226:500:
received Vendor ID payload [Dead Peer Detection]
Jul 31 08:58:57 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #419: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jul 31 08:58:57 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #419: STATE_QUICK_R2: IPsec SA
established {ESP=>0x001fe779 <0xfb351974 xfrm=AES_0-HMAC_SHA1 NATD=none
DPD=none}
Jul 31 08:58:57 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #419: responding to Quick Mode
{msgid:37fc967e}
Jul 31 08:58:57 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #419: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 31 08:58:57 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #419: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 31 09:10:04 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #424: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x000b7df2 <0xfb351977 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 31 09:10:04 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #424: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #408 {using isakmp#418}
Jul 31 09:10:04 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #424: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited



More information about the Users mailing list