[Openswan Users] Re: SonicWALL weirdness...

Wed Mar 8 07:07:57 CET 2006

On Tue, March 7, 2006 15:57, Paul Wouters said:
> On Tue, 7 Mar 2006, Francesco Peeters wrote:
>
>> > 2) Everything works fine (except the VPN to VPN, as described above)
>> until
>> > the key expires. Once the key expires, the tunnel breaks. The only
>> > solution I have found to work so far:
>> > ipsec whack --shutdown
>> > ipsec setup --restart
>> > ipsec whack --name group --initialize
>
> What happens if you just do: ipsec auto --up group ?
>

OK, onlu tested it once so far, but:
ipsec auto --down group
ipsec auto --up group
successfully restored the vpn connection this time... So far so good!

> Can you show the output of 'ipsec barf' after trying this without a
> shutdown/restart.
>

I think the important bit - at least when using above commands - is that
the XAuth info is not being cached:
Mar  8 01:37:46 localhost pluto[9646]: "group" #3: STATE_AGGR_I2: sent
AI2, ISAK
MP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakl
ey_sha group=modp1536}
Mar  8 01:37:46 localhost pluto[9646]: "group" #3: Dead Peer Detection
(RFC 3706
): enabled
Mar  8 01:37:46 localhost pluto[9646]: "group" #3: XAUTH username
requested, but
 no file descriptor available for prompt
Mar  8 01:37:46 localhost pluto[9646]: "group" #3: sending encrypted
notificatio
n CERTIFICATE_UNAVAILABLE to 172.16.0.1:500
Mar  8 01:37:51 localhost pluto[9646]: "group" #3: Informational Exchange
messag
e must be encrypted
Mar  8 01:38:51 localhost pluto[9646]: "group" #3: DPD: No response from
peer -
declaring peer dead
Mar  8 01:38:51 localhost pluto[9646]: "group" #3: DPD: Clearing Connection

HTH!

-- 
Francesco Peeters
----
GPG Key = AA69 E7C6 1D8A F148 160C  D5C4 9943 6E38 D5E3 7704
If your program doesn't recognize my signature, please visit
http://www.CAcert.org/index.php?id=3 to retrieve the Root CA certificate.