[Openswan Users] Openswan 2.4.6 - cisco pix ike problem

Ales Klok orrie at seznam.cz
Thu Oct 12 14:44:10 EDT 2006


Hi there im trying to setup a tunnel to cisco pix (i dont know type exactly i dont have direct access to it ). Everything looks good, tunnel goes up but after some time i got this:

heres complete log after ipsec restart
Oct 12 14:36:48 gate ipsec__plutorun: Starting Pluto subsystem...
Oct 12 14:36:48 gate pluto[10954]: Starting Pluto (Openswan Version 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)
Oct 12 14:36:48 gate pluto[10954]: Setting NAT-Traversal port-4500 floating to off
Oct 12 14:36:48 gate pluto[10954]: port floating activation criteria nat_t=0/port_fload=1
Oct 12 14:36:48 gate pluto[10954]: including NAT-Traversal patch (Version 0.6c) [disabled]
Oct 12 14:36:48 gate pluto[10954]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Oct 12 14:36:48 gate pluto[10954]: WARNING: Using /dev/urandom as the source of random
Oct 12 14:36:48 gate pluto[10954]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Oct 12 14:36:48 gate pluto[10954]: starting up 1 cryptographic helpers
Oct 12 14:36:48 gate pluto[10955]: WARNING: Open of /dev/hw_random failed in init_rnd_pool(), trying alternate sources of random
Oct 12 14:36:48 gate pluto[10955]: WARNING: Using /dev/urandom as the source of random
Oct 12 14:36:48 gate pluto[10954]: started helper pid=10955 (fd:5)
Oct 12 14:36:48 gate pluto[10954]: Using KLIPS IPsec interface code on 2.4.32
Oct 12 14:36:48 gate pluto[10954]: Changing to directory '/etc/ipsec.d/cacerts'
Oct 12 14:36:48 gate pluto[10954]: Changing to directory '/etc/ipsec.d/aacerts'
Oct 12 14:36:48 gate pluto[10954]: Changing to directory '/etc/ipsec.d/ocspcerts'
Oct 12 14:36:48 gate pluto[10954]: Changing to directory '/etc/ipsec.d/crls'
Oct 12 14:36:48 gate pluto[10954]: Warning: empty directory
Oct 12 14:36:48 gate pluto[10954]: added connection description "cross-rsd"
Oct 12 14:36:48 gate pluto[10954]: listening for IKE messages
Oct 12 14:36:48 gate pluto[10954]: adding interface ipsec0/eth0 ddd.ccc.bbb.aaa:500
Oct 12 14:36:48 gate pluto[10954]: loading secrets from "/etc/ipsec.secrets"
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: initiating Main Mode
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: ignoring unknown Vendor ID payload [4048b7d56ebce88525e7de7f00d6c2d3c0000000]
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: STATE_MAIN_I2: sent MI2, expecting MR2
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: received Vendor ID payload [Cisco-Unity]
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: received Vendor ID payload [XAUTH]
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: ignoring unknown Vendor ID payload [de00053fa3079c3e67cf9f6ebec00f96]
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: I did not send a certificate because I do not have one.
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: received Vendor ID payload [Dead Peer Detection]
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: Main mode peer ID is ID_FQDN: '@rightsecret'
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #6: Dead Peer Detection (RFC 3706): enabled
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #7: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#6}
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #7: Dead Peer Detection (RFC 3706): enabled
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #7: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Oct 12 14:36:48 gate pluto[10954]: "cross-rsd" #7: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x45d1a653 <0x6470eff9 xfrm=3DES_0-HMAC_MD5 NATD=none
Oct 12 15:07:17 gate pluto[10954]: "cross-rsd" #6: received Delete SA payload: deleting ISAKMP State #6
Oct 12 15:07:17 gate pluto[10954]: packet from aaa.bbb.ccc.ddd:500: received and ignored informational message
Oct 12 15:07:17 gate pluto[10954]: packet from aaa.bbb.ccc.ddd:500: Informational Exchange is for an unknown (expired?) SA
Oct 12 15:07:21 gate pluto[10954]: "cross-rsd" #7: DPD: Serious: could not find newest phase 1 state

my ipsec.conf
-----------------
version 2.0
config setup
        nat_traversal=no
conn %default
    keyingtries=0
    dpddelay=30
    dpdtimeout=120
    dpdaction=restart
conn cross-rsd
    left=ddd.ccc.bbb.aaa
    leftsubnet=172.31.193.0/24
    leftid=@leftsecret
    right=aaa.bbb.ccc.ddd
    rightid=@rightsecret
    rightsubnet=192.168.0.0/16
    pfs=no
    authby=secret
    auto=start
include /etc/ipsec.d/examples/no_oe.conf

ipsec.secrets
-----------------
@lefsecret @rightsecret : PSK "top secret"

After conn is estabilished whack lists this:
000 #3: "cross-rsd":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 28011s; newest IPSEC; eroute owner
000 #3: "cross-rsd" esp.d74f1a0e at aaa.bbb.ccc.ddd esp.1a930e84 at ddd.ccc.bbb.aaa tun.1002 at aaa.bbb.ccc.ddd tun.1001 at ddd.ccc.bbb.aaa 
000 #1: "cross-rsd":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 2740s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)

What is EVENT_SA_REPLACE_IF_USED ?
Thaks for any advice.
Orrie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061012/267d7b2d/attachment.html 


More information about the Users mailing list