[Openswan Users] Openswan & Digicom Michelangelo Office Pro-V problems

Roberto Fichera kernel at tekno-soft.it
Wed Feb 15 16:48:43 CET 2006


Hi All,

I'm getting the log below connecting last openswan 2.4.4 behind a 
router, which forward
all the traffic to the openswan box, running on Fedora Core 3 with 
all the updates.

/etc/ipsec.conf is

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         uniqueids=yes
         interfaces=%defaultroute
         virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.1.0/24,%v4:!192.168.10.0/24

# Add connections here
conn %default
         disablearrivalcheck=no
         authby=secret
         keyingtries=0
         keyexchange=ike
         auth=esp
         pfs=no

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

# Digicom Michelangelo Pro-V
conn vpn-digicom
         left=KKK.XXX.ZZZ.YYY
         leftsubnet=192.168.19.0/24
         right=%defaultroute
         rightsubnet=192.168.1.0/24
         pfs=no
         disablearrivalcheck=no
         auto=add
         authby=secret

------------------------------------

Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: responding to Main Mode
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: STATE_MAIN_R1: 
sent MR1, expecting MI2
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: STATE_MAIN_R2: 
sent MR2, expecting MI3
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: Main mode peer 
ID is ID_IPV4_ADDR: 'KKK.XXX.ZZZ.YYY'
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: I did not send a 
certificate because I do not have one.
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 15 16:33:34 vpn pluto[11353]: "vpn-digicom" #13: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 15 16:33:39 vpn pluto[11353]: "vpn-digicom" #13: retransmitting 
in response to duplicate packet; already STATE_MAIN_R3
Feb 15 16:33:43 vpn pluto[11353]: "vpn-digicom" #13: retransmitting 
in response to duplicate packet; already STATE_MAIN_R3
Feb 15 16:33:47 vpn pluto[11353]: "vpn-digicom" #13: discarding 
duplicate packet -- exhausted retransmission; already STATE_MAIN_R3
Feb 15 16:34:07 vpn last message repeated 5 times
Feb 15 16:34:11 vpn pluto[11353]: "vpn-digicom" #14: responding to Main Mode
Feb 15 16:34:11 vpn pluto[11353]: "vpn-digicom" #14: transition from 
state STATE_MAIN_R0 to state STATE_MAIN_R1
Feb 15 16:34:11 vpn pluto[11353]: "vpn-digicom" #14: STATE_MAIN_R1: 
sent MR1, expecting MI2
Feb 15 16:34:11 vpn pluto[11353]: "vpn-digicom" #14: transition from 
state STATE_MAIN_R1 to state STATE_MAIN_R2
Feb 15 16:34:11 vpn pluto[11353]: "vpn-digicom" #14: STATE_MAIN_R2: 
sent MR2, expecting MI3
Feb 15 16:34:12 vpn pluto[11353]: "vpn-digicom" #14: Main mode peer 
ID is ID_IPV4_ADDR: 'KKK.XXX.ZZZ.YYY'
Feb 15 16:34:12 vpn pluto[11353]: "vpn-digicom" #14: I did not send a 
certificate because I do not have one.
Feb 15 16:34:12 vpn pluto[11353]: "vpn-digicom" #14: transition from 
state STATE_MAIN_R2 to state STATE_MAIN_R3
Feb 15 16:34:12 vpn pluto[11353]: "vpn-digicom" #14: STATE_MAIN_R3: 
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY 
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 15 16:34:16 vpn pluto[11353]: "vpn-digicom" #14: retransmitting 
in response to duplicate packet; already STATE_MAIN_R3
Feb 15 16:34:20 vpn pluto[11353]: "vpn-digicom" #14: retransmitting 
in response to duplicate packet; already STATE_MAIN_R3
Feb 15 16:34:24 vpn pluto[11353]: "vpn-digicom" #14: discarding 
duplicate packet -- exhausted retransmission; already STATE_MAIN_R3

------------------------------------

ipsec auto --status relevant part:

000 "vpn-digicom": 
192.168.1.0/24===192.168.1.101---192.168.1.1...KKK.XXX.ZZZ.YYY===192.168.19.0/24; 
unrouted; eroute owner: #0
000 "vpn-digicom":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "vpn-digicom":   ike_life: 3600s; ipsec_life: 28800s; 
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpn-digicom":   policy: PSK+ENCRYPT+TUNNEL; prio: 24,24; interface: eth0;
000 "vpn-digicom":   newest ISAKMP SA: #15; newest IPsec SA: #0;
000 "vpn-digicom":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024

...
...

000 #13: "vpn-digicom":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 3010s; nodpd
000 #14: "vpn-digicom":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 3048s; nodpd
000 #15: "vpn-digicom":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA 
established); EVENT_SA_REPLACE in 3084s; newest ISAKMP; nodpd

Any tips to solve the problem?

Thanks in advance,

Roberto Fichera. 



More information about the Users mailing list