[Openswan Users] Intermitent Connection

Paul Wouters paul at xelerance.com
Fri Jun 30 01:14:37 CEST 2006 

On Thu, 29 Jun 2006, Pablo García wrote:

> Paul, you're right, the tunnel is stablished but the traffic isn't being
> encripted, any idea of why ?

I don't think the tunnel is establasished at all. Do you have a log entry
saying "IPsec SA Established"?

Paul

> Thanks a lot, Pablo
>
> On 6/29/06, Paul Wouters <paul at xelerance.com> wrote:
> >
> > On Thu, 29 Jun 2006, Pablo García wrote:
> >
> > > Hi, I'm a newbie about IPSEC tunnels, I created a tunel between a Linux
> > > 2.6.16.20 on a Fedora Core 5, and a PIX Firewall 535 running soft ver
> > 6.1,
> > > using psk as a method of authentication.
> > > The tunnel seems to work fine, but I have intermitent reconnections and
> > > that's affecting my users, I'm getting this errors in the
> > /var/log/secure
> > >
> > > UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> > > STATE_MAIN_R1: sent MR1, expecting MI2
> > > UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> > > ignoring unknown Vendor ID payload [9de3cb4613dd369d66383473f87da32a]
> > > UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> > > ignoring Vendor ID payload [Cisco VPN 3000 Series]
> > > UNKNOWN: Jun 28 22:55:41 routertech pluto[1818]: "tunnelipsec" #210:
> > > STATE_MAIN_R2: sent MR2, expecting MI3
> > > UNKNOWN: Jun 28 22:55:42 routertech pluto[1818]: "tunnelipsec" #210: I
> > did
> > > not send a certificate because I do not have one.
> > > UNKNOWN: Jun 28 23:40:41 routertech pluto[1818]: "tunnelipsec" #211:
> > > STATE_MAIN_R1: sent MR1, expecting MI2
> > > UNKNOWN: Jun 28 23:40:41 routertech pluto[1818]: "tunnelipsec" #211:
> > > ignoring unknown Vendor ID payload
> >
> > Are you sure it is working at all, and your packets aren't going plaintext
> > all
> > the time?
> >
> > > Anyone have an idea of what might be happening ? or where's the source
> > of
> > > this messages?
> >
> > One possible explenation is that initiator and responder switch, and only
> > when
> > openswan is the responder that there is a failure. Try setting openswan's
> > ikelifetime= to less then 1 hour to force openswan to stay an initiator,
> > and see what happens.
> >
> > Paul
> > --
> > Building and integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
>

-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list