[Openswan Users] Openswan and Nortel Interop Problem

Peter McGill petermcgill at goco.net
Thu Sep 28 11:06:52 EDT 2006


Slackware 10.0/Kernel 2.4.31
Linux Openswan 2.4.6 (klips)

My Openswan just started crashing a few days ago.
I've had 2, they have the same thing happening just prior.
Same connection fails to renew.
The remote switch is a Nortel Contivity VPN Switch.
I am not 100% certain but I believe I may have added
Dead Peer Detection to the connection a few days before
the first crash.

This appears to be related to my previous post by the
same name, as the criteria leading up to the crash is the
same as the criteria in my previous post. So I've used the
same subject.

ipsec.conf:
version 2.0

config setup
        interfaces=%defaultroute
        uniqueids=yes

include /etc/ipsec.d/examples/no_oe.conf

# other connections

conn sunoco-172-16-19-net-to-london-office-net
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=sunoco-toronto
        rightsubnet=172.16.0.0/14
        auto=start

conn sunoco-172-26-net-to-london-office-net
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=sunoco-toronto
        rightsubnet=172.26.0.0/16
        auto=start

conn sunoco-192-168-net-to-london-office-net
        left=66.x.x.x
        leftnexthop=%defaultroute
        leftsubnet=172.21.0.0/16
        alsoflip=sunoco-toronto
        rightsubnet=192.168.0.0/16
        auto=start

conn sunoco-toronto
        left=199.x.x.x
        leftnexthop=%defaultroute
        also=sunoco

conn sunoco
        keyexchange=ike
        aggrmode=no
        auth=esp
        ike=3des-md5-modp1024
        esp=3des-md5
        pfs=yes
        compress=no # yes
        ikelifetime=1.0h
        keylife=1.0h # 8.0h
        rekey=yes
        keyingtries=%forever
        rekeymargin=9m
        rekeyfuzz=100%
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart # hold
        authby=secret


Crash #1:
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: initiating Main Mode to
replace #311
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: ignoring unknown Vendor ID
payload [424e455300000005]
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received Vendor ID payload
[Dead Peer Detection]
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: STATE_MAIN_I2: sent MI2,
expecting MR2
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: I did not send a certificate
because I do not have one.
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: STATE_MAIN_I3: sent MI3,
expecting MR3
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
/var/log/secure:Sep 24 19:17:00 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: Dead Peer Detection (RFC
3706): enabled

/var/log/secure:Sep 24 19:17:02 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #404: max number of retransmissions
(2) reached STATE_QUICK_I1.No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
/var/log/secure:Sep 24 19:17:02 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #404: starting keying attempt 7 of an
unlimited number
/var/log/secure:Sep 24 19:17:02 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #408: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace#404 {using isakmp#407}
/var/log/secure:Sep 24 19:17:02 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #408: Dead Peer Detection (RFC 3706):
enabled
/var/log/secure:Sep 24 19:17:02 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #408: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
/var/log/secure:Sep 24 19:17:02 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #408: STATE_QUICK_I2: sent QI2, IPsec
SA established {ESP=>0x001c85ed <0x7d6abe59 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

/var/log/secure:Sep 24 19:17:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #311: Informational Exchange message
must be encrypted
/var/log/secure:Sep 24 19:17:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #311: Informational Exchange message
must be encrypted

/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #406: max number of retransmissions
(2) reached STATE_QUICK_I1
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #406: starting keying attempt 10 of
an unlimited number
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #409: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace#406 {using isakmp#407}
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #405: max number of retransmissions
(2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #405: starting keying attempt 10 of
an unlimited number
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #410: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #405 {using isakmp#407}
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #409: Dead Peer Detection (RFC 3706):
enabled
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #409: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #409: STATE_QUICK_I2: sent QI2, IPsec
SA established {ESP=>0x0022ca1e <0x7d6abe5a xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #410: Dead Peer Detection (RFC
3706): enabled
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #410: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
/var/log/secure:Sep 24 19:17:46 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #410: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0019cb79 <0x7d6abe5b xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

/var/log/secure:Sep 24 19:26:02 sheridan pluto[1686]: "sunoco-172-16-19-net-to-london-office-net" #412: IPsec Transform [ESP_AES
(128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
/var/log/secure:Sep 24 19:26:02 sheridan pluto[1686]: "sunoco-172-16-19-net-to-london-office-net" #412: no acceptable Proposal in
IPsec SA
/var/log/secure:Sep 24 19:26:02 sheridan pluto[1686]: "sunoco-172-16-19-net-to-london-office-net" #412: sending encrypted
notification NO_PROPOSAL_CHOSEN to 199.212.129.226:500

/var/log/secure:Sep 24 19:26:18 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x47e0bc41 (perhaps this is a duplicated packet)
/var/log/secure:Sep 24 19:26:18 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: sending encrypted notification
INVALID_MESSAGE_ID to 199.212.129.226:500

/var/log/secure:Sep 24 19:26:34 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x47e0bc41 (perhaps this is a duplicated packet)
/var/log/secure:Sep 24 19:26:34 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: sending encrypted notification
INVALID_MESSAGE_ID to 199.212.129.226:500

/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received Delete SA payload:
replace IPSEC State #410 in 10 seconds
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received and ignored
informational message
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received Delete SA payload:
replace IPSEC State #409 in 10 seconds
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received and ignored
informational message
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received Delete SA(0x001c85ed)
payload: deleting IPSEC State #408
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received and ignored
informational message
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #407: received Delete SA payload:
deleting ISAKMP State #407
/var/log/secure:Sep 24 19:27:06 sheridan pluto[1686]: packet from 199.212.129.226:500: received and ignored informational message

/var/log/secure:Sep 24 19:27:16 sheridan pluto[1686]: "sunoco-172-26-net-to-london-office-net" #413: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #409 {using isakmp#311}
/var/log/secure:Sep 24 19:27:16 sheridan pluto[1686]: "sunoco-192-168-net-to-london-office-net" #414: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #410 {using isakmp#311}

/var/log/syslog:Sep 24 19:27:16 sheridan ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 1:  1686 Segmentation fault
/usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
/var/log/syslog:Sep 24 19:27:16 sheridan ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
/var/log/syslog:Sep 24 19:27:16 sheridan ipsec__plutorun: restarting IPsec after pause...

Manual Restart:
/var/log/syslog:Sep 25 09:08:28 sheridan ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:

/var/log/secure:Sep 25 09:08:29 sheridan ipsec__plutorun: Starting Pluto subsystem...

/var/log/secure:Sep 25 09:08:29 sheridan pluto[28014]: Starting Pluto (OpenswanVersion 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)


Crash #2:
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: initiating Main Mode to
replace #1144
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: ignoring unknown Vendor ID
payload [424e455300000005]
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: received Vendor ID payload
[Dead Peer Detection]
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: STATE_MAIN_I2: sent MI2,
expecting MR2
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: I did not send a certificate
because I do not have one.
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: STATE_MAIN_I3: sent MI3,
expecting MR3
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: ignoring informational
payload, type IPSEC_INITIAL_CONTACT
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: Main mode peer ID is
ID_IPV4_ADDR: '199.212.129.226'
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
/var/log/secure:Sep 28 06:15:21 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: Dead Peer Detection (RFC
3706): enabled

/var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1195: max number of retransmissions
(2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
/var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1195: starting keying attempt 8 of
an unlimited number
/var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1199: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #1195 {using isakmp#1198}
/var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1199: Dead Peer Detection (RFC
3706): enabled
/var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1199: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
/var/log/secure:Sep 28 06:15:46 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1199: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x0003121c <0x9c70c33b xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

/var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1196: max number of retransmissions
(2) reached STATE_QUICK_I1
/var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1196: starting keying attempt 6 of
an unlimited number
/var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1200: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #1196 {using isakmp#1198}
/var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1200: Dead Peer Detection (RFC
3706): enabled
/var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1200: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
/var/log/secure:Sep 28 06:15:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1200: STATE_QUICK_I2: sent QI2,
IPsec SA established {ESP=>0x000ed387 <0x9c70c33c xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}

/var/log/secure:Sep 28 06:26:21 sheridan pluto[28014]: "sunoco-172-16-19-net-to-london-office-net" #1201: IPsec Transform [ESP_AES
(128), AUTH_ALGORITHM_HMAC_SHA1] refused due to strict flag
/var/log/secure:Sep 28 06:26:21 sheridan pluto[28014]: "sunoco-172-16-19-net-to-london-office-net" #1201: no acceptable Proposal in
IPsec SA
/var/log/secure:Sep 28 06:26:21 sheridan pluto[28014]: "sunoco-172-16-19-net-to-london-office-net" #1201: sending encrypted
notification NO_PROPOSAL_CHOSEN to 199.212.129.226:500

/var/log/secure:Sep 28 06:26:37 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x2964c25a (perhaps this is a duplicated packet)
/var/log/secure:Sep 28 06:26:37 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: sending encrypted
notification INVALID_MESSAGE_ID to 199.212.129.226:500

/var/log/secure:Sep 28 06:26:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x2964c25a (perhaps this is a duplicated packet)
/var/log/secure:Sep 28 06:26:52 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: sending encrypted
notification INVALID_MESSAGE_ID to 199.212.129.226:500

/var/log/secure:Sep 28 06:27:08 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0x2964c25a (perhaps this is a duplicated packet)
/var/log/secure:Sep 28 06:27:08 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: sending encrypted
notification INVALID_MESSAGE_ID to 199.212.129.226:500

/var/log/secure:Sep 28 06:27:24 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: received Delete SA payload:
replace IPSEC State #1200 in 10 seconds
/var/log/secure:Sep 28 06:27:24 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: received and ignored
informational message

/var/log/secure:Sep 28 06:27:28 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: received Delete
SA(0x0003121c) payload: deleting IPSEC State #1199
/var/log/secure:Sep 28 06:27:28 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: received and ignored
informational message
/var/log/secure:Sep 28 06:27:28 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1198: received Delete SA payload:
deleting ISAKMP State #1198
/var/log/secure:Sep 28 06:27:28 sheridan pluto[28014]: packet from 199.212.129.226:500: received and ignored informational message

/var/log/secure:Sep 28 06:27:34 sheridan pluto[28014]: "sunoco-172-26-net-to-london-office-net" #1202: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP to replace #1200 {using isakmp#1144}

/var/log/syslog:Sep 28 06:27:34 sheridan ipsec__plutorun: /usr/local/lib/ipsec/_plutorun: line 1: 28014 Segmentation fault
/usr/local/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --use-auto --uniqueids
/var/log/syslog:Sep 28 06:27:34 sheridan ipsec__plutorun: !pluto failure!:  exited with error status 139 (signal 11)
/var/log/syslog:Sep 28 06:27:34 sheridan ipsec__plutorun: restarting IPsec after pause...

Manual Restart:
/var/log/syslog:Sep 28 09:13:55 sheridan ipsec_setup: Removing orphaned /var/run/pluto/pluto.pid:

/var/log/secure:Sep 28 09:13:56 sheridan ipsec__plutorun: Starting Pluto subsystem...
/var/log/secure:Sep 28 09:13:56 sheridan pluto[17177]: Starting Pluto (OpenswanVersion 2.4.6 X.509-1.5.4 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OEN|EMqk_Mlg)


Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited



More information about the Users mailing list