[Openswan Users] Intermitent Connection

Paul Wouters paul at xelerance.com
Thu Jun 29 22:50:52 CEST 2006


On Thu, 29 Jun 2006, Pablo García wrote:

> Hi, I'm a newbie about IPSEC tunnels, I created a tunel between a Linux
> 2.6.16.20 on a Fedora Core 5, and a PIX Firewall 535 running soft ver 6.1,
> using psk as a method of authentication.
> The tunnel seems to work fine, but I have intermitent reconnections and
> that's affecting my users, I'm getting this errors in the /var/log/secure
>
> [f7c6fd88070236c117dcaddd140c5364]
> UNKNOWN: Jun 28 19:55:41 routertech pluto[1818]: "tunnelipsec" #205:
> ignoring Vendor ID payload [Cisco VPN 3000 Series]
> UNKNOWN: Jun 28 19:55:41 routertech pluto[1818]: "tunnelipsec" #205:
> STATE_MAIN_R2: sent MR2, expecting MI3
> UNKNOWN: Jun 28 19:55:42 routertech pluto[1818]: "tunnelipsec" #205: I did
> not send a certificate because I do not have one.
> UNKNOWN: Jun 28 20:40:41 routertech pluto[1818]: "tunnelipsec" #206:
> STATE_MAIN_R1: sent MR1, expecting MI2
> UNKNOWN: Jun 28 20:40:41 routertech pluto[1818]: "tunnelipsec" #206:
> ignoring unknown Vendor ID payload [1f78b75432e3a1cc54b5b8851a306bdc]
> UNKNOWN: Jun 28 20:40:41 routertech pluto[1818]: "tunnelipsec" #206:
> ignoring Vendor ID payload [Cisco VPN 3000 Series]
> UNKNOWN: Jun 28 20:40:41 routertech pluto[1818]: "tunnelipsec" #206:
> STATE_MAIN_R2: sent MR2, expecting MI3
> UNKNOWN: Jun 28 20:40:42 routertech pluto[1818]: "tunnelipsec" #206: I did
> not send a certificate because I do not have one.
> UNKNOWN: Jun 28 21:25:41 routertech pluto[1818]: "tunnelipsec" #207:
> STATE_MAIN_R1: sent MR1, expecting MI2
> UNKNOWN: Jun 28 21:25:41 routertech pluto[1818]: "tunnelipsec" #207:
> ignoring unknown Vendor ID payload [5d3c9301cb3e3aa637a1277912bc9d3f]
> UNKNOWN: Jun 28 21:25:41 routertech pluto[1818]: "tunnelipsec" #207:
> ignoring Vendor ID payload [Cisco VPN 3000 Series]
> UNKNOWN: Jun 28 21:25:41 routertech pluto[1818]: "tunnelipsec" #207:
> STATE_MAIN_R2: sent MR2, expecting MI3
> UNKNOWN: Jun 28 21:25:42 routertech pluto[1818]: "tunnelipsec" #207: I did
> not send a certificate because I do not have one.
> UNKNOWN: Jun 28 22:10:41 routertech pluto[1818]: "tunnelipsec" #208:
> STATE_MAIN_R1: sent MR1, expecting MI2
> UNKNOWN: Jun 28 22:10:41 routertech pluto[1818]: "tunnelipsec" #208:
> ignoring unknown Vendor ID payload [b1eb154c6faedb7c0a28ccf3267ddab9]
> UNKNOWN: Jun 28 22:10:41 routertech pluto[1818]: "tunnelipsec" #208:
> ignoring Vendor ID payload [Cisco VPN 3000 Series]
> UNKNOWN: Jun 28 22:10:41 routertech pluto[1818]: "tunnelipsec" #208:
> STATE_MAIN_R2: sent MR2, expecting MI3
> UNKNOWN: Jun 28 22:10:42 routertech pluto[1818]: "tunnelipsec" #208: I did
> not send a certificate because I do not have one.
> UNKNOWN: Jun 28 22:12:50 routertech pluto[1818]: "tunnelipsec" #209:
> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> STATE_MAIN_R1: sent MR1, expecting MI2
> UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> ignoring unknown Vendor ID payload [9de3cb4613dd369d66383473f87da32a]
> UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> ignoring Vendor ID payload [Cisco VPN 3000 Series]
> UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> STATE_MAIN_R2: sent MR2, expecting MI3
> UNKNOWN: Jun 28 22:55:42 routertech pluto[1818]: "tunnelipsec" #210: I did
> not send a certificate because I do not have one.
> UNKNOWN: Jun 28 23:40:41 routertech pluto[1818]: "tunnelipsec" #211:
> STATE_MAIN_R1: sent MR1, expecting MI2
> UNKNOWN: Jun 28 23:40:41 routertech pluto[1818]: "tunnelipsec" #211:
> ignoring unknown Vendor ID payload

Are you sure it is working at all, and your packets aren't going plaintext all
the time?

> Anyone have an idea of what might be happening ? or where's the source of
> this messages?

One possible explenation is that initiator and responder switch, and only when
openswan is the responder that there is a failure. Try setting openswan's
ikelifetime= to less then 1 hour to force openswan to stay an initiator,
and see what happens.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list