[Openswan Users] GNATBox 750 - OpenSWAN connection problems
Andrew Baumhauer
abaumhau at neo.rr.com
Thu Feb 9 10:01:21 CET 2006
First, thanks for taking the time to look at this problem. I've been
working on it for a few days now, with no success.
We recently moved from an IPSEC config over a 3 Mbps link involving two
GB750
(http://www.gta.com/downloads/external/dataSheet/roboxFamilyUs-s.pdf)
devices. The new configuration at the main site is a FC4
(2.6.14-1.1653_FC4smp) running OpenSWAN (openswan-2.4.4-1.0.FC4.1), and
one of the GB750's at the remote site.
The attached log file shows a connection to offsite-RR (11.22.33.44)
that is filled with "offsite-RR" #1010: max number of retransmissions
(20) reached STATE_MAIN_I1. No response (or no acceptable response) to
our first IKE message" and EVENT_RETRANSMIT messages. Can anyone
explain what is happening here? Is this a cause for concern?
I setup a second remote site between two OpenSWAN boxes (RDP-RR @
55.66.77.88) and watched the logs. Other than the DPD messages and SA
re-keying the logs look clean, and the link remains stable. The GB750
link supports the owner of the business, and he's having stability
problems now.
Here's the /etc/ipsec.d configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
plutodebug="control parsing"
nat_traversal=no
interfaces="ipsec0=net2"
include /etc/ipsec.d/*.conf
Here's the config files (yes I'm using PSK, certificates are not an
option on the GB750) after IP sanitation:
version 2
conn offsite-RR
left=11.22.33.44
leftsubnet=192.168.9.0/24
right=90.80.70.60
rightsubnet=192.168.10.0/24
rightnexthop=90.80.70.61
authby=secret
# Key lifetimes
keylife=360m
ikelifetime=90m
# Dead Peer Detection (for idle connections)
dpddelay=30
dpdtimeout=120
dpdaction=hold
auto=add
conn RDP-RR
left=55.66.77.88
leftsubnet=192.168.4.0/24
right=90.80.70.60
rightsubnet=192.168.10.0/24
rightnexthop=90.80.70.61
authby=secret
# Key lifetimes
keylife=360m
ikelifetime=90m
# Dead Peer Detection (for idle connections)
dpddelay=30
dpdtimeout=120
dpdaction=hold
auto=add
Attached is the log file showing a connection setup of offsite-RR and
within a few minutes the retransmissions.
Thank you,
Andrew
-------------- next part --------------
A non-text attachment was scrubbed...
Name: secure.log
Type: text/x-log
Size: 123310 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060209/66437313/secure-0001.bin
More information about the Users
mailing list