[Openswan Users] GNATBox 750 - OpenSWAN connection problems

Andrew Baumhauer abaumhau at neo.rr.com
Thu Feb 9 10:01:21 CET 2006 

First, thanks for taking the time to look at this problem.  I've been 
working on it for a few days now, with no success.

We recently moved from an IPSEC config over a 3 Mbps link involving two 
GB750 
(http://www.gta.com/downloads/external/dataSheet/roboxFamilyUs-s.pdf) 
devices.  The new configuration at the main site is a FC4 
(2.6.14-1.1653_FC4smp) running OpenSWAN (openswan-2.4.4-1.0.FC4.1), and 
one of the GB750's at the remote site.

The attached log file shows a connection to offsite-RR (11.22.33.44) 
that is filled with "offsite-RR" #1010: max number of retransmissions 
(20) reached STATE_MAIN_I1.  No response (or no acceptable response) to 
our first IKE message" and EVENT_RETRANSMIT messages.  Can anyone 
explain what is happening here?  Is this a cause for concern?

I setup a second remote site between two OpenSWAN boxes (RDP-RR @ 
55.66.77.88) and watched the logs.  Other than the DPD messages and SA 
re-keying the logs look clean, and the link remains stable.  The GB750 
link supports the owner of the business, and he's having stability 
problems now.

Here's the /etc/ipsec.d configuration

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        plutodebug="control parsing"
        nat_traversal=no
        interfaces="ipsec0=net2"

include /etc/ipsec.d/*.conf

Here's the config files (yes I'm using PSK, certificates are not an 
option on the GB750) after IP sanitation:

version 2

conn offsite-RR
        left=11.22.33.44
        leftsubnet=192.168.9.0/24
        right=90.80.70.60
        rightsubnet=192.168.10.0/24
        rightnexthop=90.80.70.61
        authby=secret
        # Key lifetimes
        keylife=360m
        ikelifetime=90m
        # Dead Peer Detection (for idle connections)
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        auto=add


conn RDP-RR
        left=55.66.77.88
        leftsubnet=192.168.4.0/24
        right=90.80.70.60
        rightsubnet=192.168.10.0/24
        rightnexthop=90.80.70.61
        authby=secret
        # Key lifetimes
        keylife=360m
        ikelifetime=90m
        # Dead Peer Detection (for idle connections)
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        auto=add



Attached is the log file showing a connection setup of offsite-RR and 
within a few minutes the retransmissions.

Thank you,

Andrew

-------------- next part --------------
A non-text attachment was scrubbed...
Name: secure.log
Type: text/x-log
Size: 123310 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20060209/66437313/secure-0001.bin

More information about the Users mailing list