[Openswan Users] Openswan and Nortel Interop Problem
Peter McGill
petermcgill at goco.net
Wed Aug 23 17:29:25 EDT 2006
The connection randomly goes down at renewals for approx one renewal period.
The only way to fix the connection before the next renewal is to manually reset it.
The pattern is always the same.
For a good renewal:
Phase 1 ISAKMP Main Mode SA renews.
Phase 2 IPSec Quick Mode SA renews.
For a failed renewal:
Phase 2 IPSec Quick Mode SA renews.
Phase 1 ISAKMP Main Mode SA renews.
Old Phase 1 expires and connection is torn down.
I've had this problem for the last 9 months or so.
It has persisted through a number of versions of Openswan and the Nortel switches.
I've tried so many different configurations, that I'm almost certain that it must
be a software bug in one of the switches or an incompatibility between them.
I'm currently running the following, testing with 2 Openswans and 2 Nortels.
Openswan 2.4.6/Linux Kernel 2.4.26 and Linux Kernel 2.4.31/Slackware Linux 10.0+
Nortel (Contivity Extranet/VPN) Switch 600+ Revision V05_00.136
Openswan
ipsec.conf:
version 2.0
config setup
interfaces=%defaultroute
uniqueids=yes # setting this or not setting this has no effect
include /etc/ipsec.d/examples/no_oe.conf
conn openswan-test
left=<openswan pub ip>
leftnexthop=%defaultroute
leftsubnet=<openswan priv subnet>
right=<nortel pub ip>
rightnexthop=%defaultroute
rightsubnet=<nortel priv subnet>
keyexchange=ike
auth=esp
ike=aes128-sha1-modp1536 # or 3des-md5-modp1024
esp=aes128-sha1 # or 3des-md5
aggrmode=no
pfs=yes
compress=yes # or no
# I have tried many combinations of ikelifetime and keylife
# more than I have listed below.
# ikelifetime < keylife, ikelifetime = keylife, ikelifetime > keylife
# This changes the frequency and duration of the problem
# but the problem does not go away.
# Nortel only has one setting for both of these Rekey Timeout
# and the connection works best if all 3 are equal.
ikelifetime=8.0h # or 1.0h
keylife=8.0h # or 1.0h
rekey=yes
keyingtries=%forever
rekeymargin=9m
rekeyfuzz=100%
dpddelay=30 # setting dpd or not setting dpd* has no effect
dpdtimeout=120
dpdaction=restart # or clear or hold
authby=secret
auto=start # or route
ipsec.secrets:
<openswan pub ip> <nortel pub ip>
: PSK "<psk>"
Nortel
Profiles -> Branch Office -> Group (Openswan Test) -> Configure:
Connectivity -> Configure:
All Fields -> Configure:
Access Hours: Anytime
Idle Timeout: 00:00:00
Forced Logoff: 00:00:00
OK
IPSec -> Configure:
All Fields -> Configure:
Encryption:
ESP - 128-bit AES with SHA1 Integrity: Check/Enabled
or ESP - Triple DES with MD5 Integrity: Check/Enabled
All Others: Uncheck/Disabled
IKE Encryption and Diffie-Hellman Group: 128-bit AES with Group 5 (1536-bit prime)
or Triple DES with Group 2 (1024-bit prime)
Aggressive Mode ISAKMP Initial Contact Payload: Disabled
Perfect Forward Secrecy: Enabled
Compression: Enabled or Disabled
Rekey Timeout: 08:00:00 or 01:00:00
OK
Profiles -> Branch Office -> Group (Openswan Test) -> Connections (Openswan Test) -> Configure:
Connection:
Tunnel Type: IPSec
Connection Type: Peer to Peer
Enable: Check/Enabled
Endpoints:
Local Ip Address: <nortel pub ip>
Remote Ip Address: <openswan pub ip>
Authentication: Text Pre-Shared Key
Text Pre-Shared Key: <psk>
Confirm: <psk>
IP Configuration: Static
Local Networks: <nortel priv subnet>
Remote Networks: <openswan priv subnet>
OK
A Good Renewal
Openswan Log:
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: initiating Main Mode to replace #6404
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: ignoring unknown Vendor ID payload [424e455300000009]
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: received Vendor ID payload [Dead Peer Detection]
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 19 04:52:38 franklin pluto[11388]: "openswan-test" #6905: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: I did not send a certificate because I do not have one.
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: Main mode peer ID is ID_IPV4_ADDR: '<nortel pub ip>'
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 19 04:52:39 franklin pluto[11388]: "openswan-test" #6905: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1536}
Aug 19 04:56:27 franklin pluto[11388]: "openswan-test" #6910: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace
#6406 {using isakmp#6905}
Aug 19 04:56:28 franklin pluto[11388]: "openswan-test" #6910: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 19 04:56:28 franklin pluto[11388]: "openswan-test" #6910: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe601aeb5
<0xb7393a19 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
Aug 19 05:07:16 franklin pluto[11388]: packet from <nortel pub ip>:500: Informational Exchange is for an unknown (expired?) SA
Aug 19 05:07:16 franklin pluto[11388]: packet from <nortel pub ip>:500: Informational Exchange is for an unknown (expired?) SA
Nortel System Log (The time is off, but it matches the above renewal):
03:43:09 tEvtLgMgr 0 : Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local
<nortel pub ip>
03:43:09 tEvtLgMgr 0 : Security [12] Session: IPSEC[-]:236 physical addresses: remote <openswan pub ip> local <nortel pub ip>
03:53:57 tEvtLgMgr 0 : Security [12] Session 6c83390: IPSEC[-]:213 sib 0 logged out
03:53:57 tEvtLgMgr 0 : Security [12] Session 6c829b8: IPSEC[<openswan pub ip>]:212 sib 0 logged out
Nortel Event Log:
08/19/2006 03:39:19 0 Security [11] Session: IPSEC[<openswan pub ip>] attempting login
08/19/2006 03:39:19 0 Security [00] Session: IPSEC - found matching gateway session, caching parameters from gateway session
08/19/2006 03:39:20 0 ISAKMP [02] Oakley Main Mode proposal accepted from <openswan pub ip>
08/19/2006 03:39:20 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 SHARED-SECRET authenticate attempt...
08/19/2006 03:39:20 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 attempting authentication using LOCAL
08/19/2006 03:39:21 0 Security [11] Session: IPSEC[<openswan pub ip>]:234 authenticated using LOCAL
08/19/2006 03:39:21 0 Security [11] Session: IPSEC[<openswan pub ip>]:234 bound to group /Base/Openswan Test/Openswan Test
08/19/2006 03:39:21 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 Building group filter permit all
08/19/2006 03:39:21 0 Security [01] Session: IPSEC[<openswan pub ip>]:234 Applying group filter permit all
08/19/2006 03:39:21 0 Security [11] Session: IPSEC[<openswan pub ip>]:234 authorized
08/19/2006 03:39:21 0 ISAKMP [02] ISAKMP SA established with <openswan pub ip>
08/19/2006 03:43:09 0 Security [11] Session: network IPSEC[<openswan subnet>] attempting login
08/19/2006 03:43:09 0 Security [11] Session: network IPSEC[<openswan subnet>] logged in from gateway [<openswan pub ip>]
08/19/2006 03:43:09 0 Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local <nortel
pub ip>
08/19/2006 03:43:09 0 Security [12] Session: IPSEC[-]:236 physical addresses: remote <openswan pub ip> local <nortel pub ip>
08/19/2006 03:43:10 0 Outbound ESP from <nortel pub ip> to <openswan pub ip> SPI 0xb7393a19 [03] ESP encap session SPI 0x193a39b7
bound to s/w on cpu 0
08/19/2006 03:43:10 0 Inbound ESP from <openswan pub ip> to <nortel pub ip> SPI 0xe601aeb5 [03] ESP decap session SPI 0xb5ae01e6
bound to s/w on cpu 0
08/19/2006 03:43:10 0 Branch Office [00] 513a440 BranchOfficeCtxtCls::RegisterTunnel: rem[<openswan subnet>]@[<openswan pub ip>]
loc[<nortel subnet>] overwriting tunnel context [5ac2d68] with [5ac2f50]
08/19/2006 03:43:10 0 ISAKMP [03] Established IPsec SAs with <openswan pub ip>:
08/19/2006 03:43:10 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393a19
08/19/2006 03:43:10 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0xe601aeb5
A Failed Renewal
Openswan Log:
Aug 19 12:39:22 franklin pluto[11388]: "openswan-test" #7385: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace
#6910 {using isakmp#6905}
Aug 19 12:39:23 franklin pluto[11388]: "openswan-test" #7385: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 19 12:39:23 franklin pluto[11388]: "openswan-test" #7385: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3e0804e2
<0xb7393bb3 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=none}
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: initiating Main Mode to replace #6905
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: ignoring unknown Vendor ID payload [424e455300000009]
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: received Vendor ID payload [Dead Peer Detection]
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 19 12:41:06 franklin pluto[11388]: "openswan-test" #7387: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: I did not send a certificate because I do not have one.
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: Main mode peer ID is ID_IPV4_ADDR: '<nortel pub ip>'
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 19 12:41:07 franklin pluto[11388]: "openswan-test" #7387: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_sha group=modp1536}
Aug 19 12:52:39 franklin pluto[11388]: packet from <nortel pub ip>:500: Informational Exchange is for an unknown (expired?) SA
Aug 19 12:56:41 franklin pluto[11388]: "openswan-test" #7387: received Delete SA payload: deleting ISAKMP State #7387
Aug 19 12:56:41 franklin pluto[11388]: packet from <nortel pub ip>:500: received and ignored informational message
# If dpd is enabled then we also see this
Aug 19 12:57:02 franklin pluto[11388]: "openswan-test" #7385: DPD: Serious: could not find newest phase 1 state
Nortel System Log:
11:26:01 tEvtLgMgr 0 : Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local
<nortel pub ip>
11:26:01 tEvtLgMgr 0 : Security [12] Session: IPSEC[-]:257 physical addresses: remote <openswan pub ip> local <nortel pub ip>
11:39:17 tEvtLgMgr 0 : Security [12] Session 6c83390: IPSEC[-]:257 sib 0 logged out
11:39:17 tEvtLgMgr 0 : Security [12] Session 6c81fe0: IPSEC[-]:236 sib 0 logged out
11:39:17 tEvtLgMgr 0 : Security [12] Session 6c82328: IPSEC[<openswan pub ip>]:234 sib 0 logged out
*11:43:19 tEvtLgMgr 0 : ISAKMP [13] <openswan pub ip> has exceeded idle timeout - logging out
11:43:19 tEvtLgMgr 0 : Security [12] Session 6c81608: IPSEC[<openswan pub ip>]:258 sib 0 logged out
Nortel Event Log:
08/19/2006 11:26:01 0 Security [11] Session: network IPSEC[<openswan subnet>] attempting login
08/19/2006 11:26:01 0 Security [11] Session: network IPSEC[<openswan subnet>] logged in from gateway [<openswan pub ip>]
08/19/2006 11:26:01 0 Security [12] Session: IPSEC[<openswan pub ip>]:234 physical addresses: remote <openswan pub ip> local <nortel
pub ip>
08/19/2006 11:26:01 0 Security [12] Session: IPSEC[-]:257 physical addresses: remote <openswan pub ip> local <nortel pub ip>
08/19/2006 11:26:02 0 Outbound ESP from <nortel pub ip> to <openswan pub ip> SPI 0xb7393bb3 [03] ESP encap session SPI 0xb33b39b7
bound to s/w on cpu 0
08/19/2006 11:26:02 0 Inbound ESP from <openswan pub ip> to <nortel pub ip> SPI 0x3e0804e2 [03] ESP decap session SPI 0xe204083e
bound to s/w on cpu 0
08/19/2006 11:26:02 0 Branch Office [00] 513a440 BranchOfficeCtxtCls::RegisterTunnel: rem[<openswan subnet>]@[<openswan pub ip>]
loc[<nortel subnet>] overwriting tunnel context [5ac2f50] with [5ac2d68]
08/19/2006 11:26:02 0 ISAKMP [03] Established IPsec SAs with <openswan pub ip>:
08/19/2006 11:26:02 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393bb3
08/19/2006 11:26:02 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0x3e0804e2
08/19/2006 11:27:44 0 Security [11] Session: IPSEC[<openswan pub ip>] attempting login
08/19/2006 11:27:44 0 Security [00] Session: IPSEC - found matching gateway session, caching parameters from gateway session
08/19/2006 11:27:45 0 ISAKMP [02] Oakley Main Mode proposal accepted from <openswan pub ip>
08/19/2006 11:27:45 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 SHARED-SECRET authenticate attempt...
08/19/2006 11:27:45 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 attempting authentication using LOCAL
08/19/2006 11:27:45 0 Security [11] Session: IPSEC[<openswan pub ip>]:258 authenticated using LOCAL
08/19/2006 11:27:45 0 Security [11] Session: IPSEC[<openswan pub ip>]:258 bound to group /Base/Openswan Test/Openswan Test
08/19/2006 11:27:45 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 Building group filter permit all
08/19/2006 11:27:46 0 Security [01] Session: IPSEC[<openswan pub ip>]:258 Applying group filter permit all
08/19/2006 11:27:46 0 Security [11] Session: IPSEC[<openswan pub ip>]:258 authorized
08/19/2006 11:27:46 0 ISAKMP [02] ISAKMP SA established with <openswan pub ip>
08/19/2006 11:39:17 0 ISAKMP [01] Delete message for ISAKMP SA received from <openswan pub ip>
08/19/2006 11:39:17 0 ISAKMP [03] Deleting IPsec SAs with <openswan pub ip>:
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393bb3
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0x3e0804e2
08/19/2006 11:39:17 0 IPvfy.05ac2d68{Tun} [00] destructor called 0x5ac2d68
08/19/2006 11:39:17 0 Security [12] Session 6c83390: IPSEC[-]:257 sib 0 logged out
08/19/2006 11:39:17 0 ISAKMP [03] ReRegistering tunnel 5ac2f50 fd0315ac ffffffff 715ac ffffff 193a39b7 0
08/19/2006 11:39:17 0 Branch Office [00] 513a440 BranchOfficeCtxtCls::RegisterTunnel: rem[<openswan subnet>]@[<openswan pub ip>]
loc[<nortel subnet>] overwriting tunnel context [0] with [5ac2f50]
08/19/2006 11:39:17 0 ISAKMP [03] Deleting IPsec SAs with <openswan pub ip>:
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA outbound SPI 0xb7393a19
08/19/2006 11:39:17 0 ISAKMP [03] ESP AES-CBC-HMAC-SHA inbound SPI 0xe601aeb5
08/19/2006 11:39:17 0 IPvfy.05ac2f50{Tun} [00] destructor called 0x5ac2f50
08/19/2006 11:39:17 0 Security [12] Session 6c81fe0: IPSEC[-]:236 sib 0 logged out
08/19/2006 11:39:17 0 Security [12] Session 6c82328: IPSEC[<openswan pub ip>]:234 sib 0 logged out
08/19/2006 11:39:17 0 ISAKMP [02] Deleting ISAKMP SA with <openswan pub ip>
08/19/2006 11:43:06 0 ISAKMP [03] Delete message for IPsec SA received from <openswan pub ip>
08/19/2006 11:43:19 0 ISAKMP [13] <openswan pub ip> has exceeded idle timeout - logging out
08/19/2006 11:43:19 0 Security [12] Session 6c81608: IPSEC[<openswan pub ip>]:258 sib 0 logged out
08/19/2006 11:43:19 0 ISAKMP [02] Deleting ISAKMP SA with <openswan pub ip>
Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited
More information about the Users
mailing list