[Openswan Users] Newbie help with Cisco to Openswan

Paul Wouters paul at xelerance.com
Mon Aug 7 16:15:18 EDT 2006

On Sun, 6 Aug 2006, Sean Waite wrote:

> Sadly, this is the only log message of interest on the Openswan side:
> Aug 6 18:54:01 pluto[2688] "CSO" #9: R_U_THERE_ACK has invalid rcookie (tolerated)
> Aug 6 18:55:31 pluto[2688] "CSO" #9: R_U_THERE_ACK has invalid icookie

That's cisco's broken cookie implementation with DPD.

> Correct me if I am wrong, but this is a rather meaningless error message anyways. I looked through Cisco's site and found nothing in
> reference to "R_U_THERE_ACK" or DPD.

With recent Openswan's (2.4.x) all these incorrect cookies are treated as
valid, so this should not be an option.

> Anyone have any ideas on how or what could be the problem? The Cisco to Openswan is basically your standard config, nothing special,
> using AES-256 and pre-shared key.

If your link is saturated, and you have DPD enabled, and the Cisco sends and
expects DPD answers even when the link is loaded, and those packets happen
to be dropped because of congestion, the link will hang up, but it should
also re-establish. Perhaps Openswan is making a similar error, though AFAIK
it should not send DPD packets when there is traffic over the tunnel.

Try disabling DPD on Openswan and see if that helps
Try disabling DPD on Cisco and see if that helps

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list