[Openswan Users] DPD iritating warnings and X509 problem
Paul Wouters
paul at xelerance.com
Tue Oct 17 11:32:28 EDT 2006
On Tue, 17 Oct 2006, Rados?aw Antoniuk wrote:
> First trivial problem is:
> Is it possible to turn off the DPD messages?
> I'm getting a lot of
> "pix2" #271: DPD: Warning: R_U_THERE_ACK has invalid rcookie
> and it's getting me dizzy... :/
Try upgrading the cisco firmware?
Otherwise I guess disable the debug line programs/pluto/dpd.c if it
bothers you that much. But really, the Cisco is just broken.
> The second problem is bigger. I have a nice ipsec+l2tpns installation on
> debian.The problem is that sometimes, after a successful (!)
> disconnection of the tunnels (both - ipsec+l2tp), openswan doesn't
> notice it
What do you mean with "disconnection of the tunnels"? If both were properly
disconnected, then openswan would receive a Delete/Notify message and
tear down the tunnel.
> and keeps track to the other gateway's IP thus making it
> impossible to communicate with itself without ipsec.
That's the (dis)advantage of using a VPN gateway with other non-ipsec
services (or portforwards). You protect against accidentally sending
unencrypted packets when you have a security association up.
If you don't properly terminate the IPsec tunnel, the VPN gateway will
only allow encrypted packets until rekey time. Since the server can't
rekey dynamic clients, it will terminate the conn, making it available
for unencrypted communication. However, at any time can your client
setup a new IPsec connection, despite that the first few setup packets
are "unencrypted". There is a special "hole" for IPsec negotiation. So
if your windows client crashes, you can re-establish the IPsec connection
without a problem.
Now, openswan supports Dead Peer Detection, which would solve your
problem. Unfortunately, Microsoft has not yet implemented DPD.
> 000 #1334: pending Phase 2 for "X509"[4] 217.116.110.1 replacing #757
> 000 #1335: "X509"[6] 217.116.110.1:500 STATE_MAIN_I1 (sent MI1,
> expecting MR1); EVENT_RETRANSMIT in 26s; nodpd
> 000 #1336: "X509"[8] 217.113.239.1:500 STATE_MAIN_I1 (sent MI1,
> expecting MR1); EVENT_RETRANSMIT in 19s; nodpd
> 000 #1336: pending Phase 2 for "X509"[8] 217.113.239.1 replacing #1190
> 000 #1336: pending Phase 2 for "X509"[8] 217.113.239.1 replacing #1189
> 000 #1336: pending Phase 2 for "X509"[8] 217.113.239.1 replacing #1187
> 000 #1336: pending Phase 2 for "X509"[8] 217.113.239.1 replacing #0
I am not sure why you have multiple instances rekeying here. Are you
trying to use multiple clients from behind the same NAT?
> Moreinfo:
> ipsec setup --version
> ipsec setup 2.4.6
ipsec --version would tell us more. Even better would be ipsec barf.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list