[Openswan Users] Stuck Connection

Paul Wouters paul at xelerance.com
Tue Oct 10 11:49:39 EDT 2006 

On Tue, 10 Oct 2006, Mark Olliver wrote:
> Local Lan 192.168.242.0/24 eth0
> 	|
> Local Firewall ipsec0
> 	|
> Local Public 81.17.242.10 eth1
> 	|
> 	|
> Remote Public 212.159.53.154 eth1
> 	|
> Remote Firewall ipsec0
> 	|
> Remote Lan 192.168.234.0/23 eth0


> Config Settings
> conn ielan-ukoflan
>         leftsubnet=192.168.242.0/24
>         rightsubnet=192.168.234.0/24
>         also=iecollo-ukoffice
>
> conn iecollo-ukoflan
>         leftsubnet=81.17.242.10/32

You are better of using a single connection with
both left/right subnets and using leftsourceip= and
rightsourceip= to denote the inner IP's of the gateways
so they can talk to each over over the vpn without the
need for 4 tunnels.

> iptables -t nat -A POSTROUTING -s 192.168.242.0/24 -d \! 192.168.234.0/24 -o
> eth1 -j SNAT --to 81.17.242.81

I assume the other had has the same kind of NAT rule, or packets will still
break.

> Oct 10 14:53:53 ie-fw1 pluto[7054]: 1 bad entries in virtual_private - none
> loaded

since you're not using NAT harmless, but perhsps fix/comment out the line.

> Oct 10 14:53:53 ie-fw1 pluto[7054]: Using KLIPS IPsec interface code on
> 2.6.18

You are using klips on 2.6.18 with openswan 2.4.6? You must have patched
the source then to fix various config.h related issues?

> sent QI2, IPsec SA established {ESP=>0xee37a1ca <0x
> 6f27582e xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000a621 <0x0000daea NATD=none
> DPD=enabled}

looks good.

> Oct 10 14:54:16 ie-fw1 pluto[7054]: packet from 212.159.53.154:500: Quick
> Mode message is for a non-existent (expired?) ISAKMP SA

Not sure what that is. Are all 4 tunnels up and stable, or does it keep
negotiating?

> Oct 10 14:39:15 Pluto[194]: "OFFICE-IE_0" #140: responding to Main Mode
> Oct 10 14:39:15 Pluto[194]: "OFFICE-IE_0" #140: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_0" #140: sent MR3, ISAKMP SA
> established
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: using deflate compression
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: responding to Quick Mode
> Oct 10 14:39:16 Pluto[194]: "OFFICE-IE_1" #141: ESP transform ESP_AES / auth
> AUTH_ALGORITHM_HMAC_SHA1 implemented

What is this software? pluto with a capital P? Some messages I do not
recognise. Is this a freeswan/openswan derivative?

> Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: using deflate compression
> Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: responding to Quick Mode
> Oct 10 14:42:39 Pluto[194]: "OFFICE-IE_2" #145: ESP transform ESP_AES / auth
> AUTH_ALGORITHM_HMAC_SHA1 implemented
> Oct 10 14:42:48 Pluto[194]: "OFFICE-IE_2" #145: discarding duplicate packet;
> already STATE_QUICK_R1
> Oct 10 14:43:49 last message repeated 1 time(s)
> Oct 10 14:43:49 Pluto[194]: "OFFICE-IE_2" #145: max number of
> retransmissions (2) reached STATE_QUICK_R1

So it seems negotiating keeps looping. Try using 1 tunnel and see if that
improves things.

Paul

More information about the Users mailing list