[Openswan Users] Openswan and Nortel Switch deleting ISAKMP

Peter McGill petermcgill at goco.net
Thu Aug 3 10:49:52 EDT 2006 

----- Original Message ----- 
From: "Paul Wouters" <paul at xelerance.com>
To: "Peter McGill" <petermcgill at goco.net>
Cc: <users at openswan.org>
Sent: Thursday, August 03, 2006 3:16 PM
Subject: Re: [Openswan Users] Openswan and Nortel Switch deleting ISAKMP


> On Tue, 1 Aug 2006, Peter McGill wrote:
>
>> It would seem that the problem is bracketed by:
>> Jul 27 16:21:44 sheridan pluto[1671]:
>> "sunoco-172-26-net-to-london-office-net" #444: received Delete SA 
>> payload:
>> deleting ISAKMP State #444
>> Jul 27 16:21:44 sheridan pluto[1671]: packet from 199.212.129.226:500:
>> received and ignored informational message
>> ...and...
>> Jul 27 17:10:11 sheridan pluto[1671]:
>> "sunoco-172-26-net-to-london-office-net" #461: STATE_QUICK_I2: sent QI2,
>> IPsec SA established {ESP=>0x0013419d <0xb8629178 xfrm=3DES_0-HMAC_MD5
>> NATD=none DPD=none}
>
> I would expect auto=start to immediately restart the deleted connection...
>
>> Has anyone else experienced this? How do I fix it?
>
> Obviously, the other end should not delete the connection, so the fix
> is on that end. As a workaround, try:
>
> ikelifetime=30m
>
> This will cause openswan to rekey the isakmp before the nortel expires it
> (at around an hour?)
>
> Paul
> -- 
> Building and integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Already tried adjusting both lifetime values up and down, didn't work.
And just before the connection drops, I've just finished renewing it.
>From the logs below, this is what it looks to me what is happening.

A random few minutes before the ISAKMP SA expires, Openswan renegotiates it.
Old ISAKMP SA Expires, Nortel sends Delete ISAKMP SA.
(Sometimes Nortel deletes the old ISAKMP, sometimes the new one.
Obviously a Nortel bug there, but I can't help that.)
If New ISAKMP SA is deleted, the Openswan immediately negotiates a new one.
So right now, ISAKMP is valid.
However traffic stops between the Openswan and Nortel.
I'm guessing it's because the IPSec SA's for the subnet are still based on 
the old,
deleted ISAKMP SA, they have not been renegotiated yet.
Seems that Nortel considers them invalid because based on expired ISAKMP SA,
but Openswan still considers them valid because they have not expired 
themselves?
I'm not sure who is right, logically, but they don't seem to agree, and this 
is a problem.
I'm no IPSec expert, so I could be wrong but this is my guess based on what 
I'm seeing.
This continues, until the IPSec SA for the subnet is about to expire, then 
Openswan
renegotiates it, and communication is restored, until the next time.

Changing the lifetimes to not seem to erase the problem, only adjust the 
frequency and
duration. Larger ikelifetimes, reduce the frequency, and smaller keylifes, 
reduce the duration.

Peter McGill

Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: I did not send a certificate
because I do not have one.
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: ignoring unknown Vendor ID
payload [424e455300000005]
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: initiating Main Mode to
replace #428
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: received Vendor ID payload
[Dead Peer Detection]
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 27 16:06:38 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 27 16:21:44 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #444: received Delete SA payload:
deleting ISAKMP State #444
Jul 27 16:21:44 sheridan pluto[1671]: packet from 199.212.129.226:500:
received and ignored informational message
Jul 27 16:23:37 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #447: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x001b790a <0xb862916f xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 16:23:37 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #447: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #431 {using isakmp#428}
Jul 27 16:23:37 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #447: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 27 16:24:20 sheridan pluto[1671]: packet from 199.212.129.226:500:
Informational Exchange is for an unknown (expired?) SA
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: STATE_MAIN_I2: sent MI2,
expecting MR2
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: ignoring unknown Vendor ID
payload [424e455300000005]
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: initiating Main Mode
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: received Vendor ID payload
[Dead Peer Detection]
Jul 27 16:32:05 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: I did not send a certificate
because I do not have one.
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: STATE_MAIN_I3: sent MI3,
expecting MR3
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1024}
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #448: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #449: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0005bd4d <0xb8629170 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #449: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#448}
Jul 27 16:32:06 sheridan pluto[1671]:
"sunoco-192-168-net-to-london-office-net" #449: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: STATE_QUICK_R2: IPsec SA
established {ESP=>0x000f69e4 <0xb8629171 xfrm=AES_0-HMAC_SHA1 NATD=none
DPD=none}
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: responding to Quick Mode
{msgid:b74fc8ea}
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 27 16:38:44 sheridan pluto[1671]:
"sunoco-172-16-19-net-to-london-office-net" #450: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0013419d <0xb8629178 xfrm=3DES_0-HMAC_MD5
NATD=none DPD=none}
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #447 {using isakmp#448}
Jul 27 17:10:11 sheridan pluto[1671]:
"sunoco-172-26-net-to-london-office-net" #461: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2

More information about the Users mailing list