[Openswan Users] connection- after about 1 hour goes down.

Paul Wouters paul at xelerance.com
Fri Jul 14 17:47:06 CEST 2006 

On Fri, 14 Jul 2006, Adam Gawda wrote:

> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: initiating Main
> Mode

ok, so you are letting openswan initiate.

> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: received Vendor
> ID payload [draft-ietf-ipsec-nat-t-ike-03]
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: enabling possible
> NAT-traversal with method RFC XXXX (NAT-Traversal)
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: transition from
> state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: I did not send a
> certificate because I do not have one.
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: NAT-Traversal:
> Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: transition from
> state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jul 14 10:05:08 rt_1 pluto[5447]: | protocol/port in Phase 1 ID Payload
> is 17/0. accepted with port_floating NAT-T
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: Peer ID is
> ID_IPV4_ADDR: 'x.x.x.x'
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: transition from
> state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #1: ISAKMP SA
> established
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #2: initiating Quick
> Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #2: transition from
> state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 14 10:05:08 rt_1 pluto[5447]: "alfa-watchguard" #2: sent QI2, IPsec
> SA established {ESP=>0xcb04ae40 <0x0b76643c NATOA=0.0.0.0}

So the tunnel is up now.

> Jul 14 10:49:39 rt_1 pluto[5447]: "alfa-watchguard" #3: initiating Main
> Mode to replace #1
> ---------------------------    from this moment vpn doesn't work     

The rekey should not bring the old tunnel down.

> Jul 14 11:02:49 rt_1 pluto[5447]: "alfa-watchguard" #3: max number of
> retransmissions (20) reached STATE_MAIN_I1.  No response (or no
> acceptable response) to our first IKE message

That's odd. Suddenly the watchguard is not talking to us at all?
Check the logs on the watchguard. Something is wrong there.
Perhaps it has some "dont rekey" option set?

Paul

More information about the Users mailing list