[Openswan Users] Tunnel Keep Alive

Lewis Shobbrook mylists at blue-matrix.org
Fri Sep 29 03:33:53 EDT 2006 

Hi All,

I've set up a series of tunnels to a fortinet based vpn.  I have a single conn 
with multiple subnets hinged to it.

All tunnels up fine and traffic traverses as expected.  

Most of the tunnels stay up, but a number of them drop after 5 -15 minutes.

I've got the fortinet end to test with and without keepalive at their end, but 
no success.  In fact it works far better without the keep alive.

Does anyone have any suggestions that might help here?

The auth log states...

Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: initiating Main Mode
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: received Vendor ID 
payload [Dead Peer Detection]
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: ignoring unknown Vendor 
ID payload [afca071368a1f1c96b8696fc77570100]
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: ignoring unknown Vendor 
ID payload [1d6e178f6c2c0be284985465450fe9d4]
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: received Vendor ID 
payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: STATE_MAIN_I2: sent MI2, 
expecting MR2
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: I did not send a 
certificate because I do not have one.
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: NAT-Traversal: Result 
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: STATE_MAIN_I3: sent MI3, 
expecting MR3
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: Main mode peer ID is 
ID_IPV4_ADDR: 'concealed for submission'
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 
prf=oakley_md5 group=modp1024}
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #66: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#65}
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: ignoring informational 
payload, type NO_PROPOSAL_CHOSEN
Sep 29 15:36:23 rover1 pluto[6414]: "mpsubnet5" #65: received and ignored 
informational message
Sep 29 15:36:33 rover1 pluto[6414]: "mpsubnet5" #57: IPsec SA expired 
(LATEST!)
Sep 29 15:37:33 rover1 pluto[6414]: "mpsubnet5" #66: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our 
first Quick Mode message: perhaps peer likes no proposal
Sep 29 15:47:33 rover1 pluto[6414]: "mpsubnet5" #65: DPD: Warning: received 
old or duplicate R_U_THERE
Sep 29 15:47:38 rover1 pluto[6414]: "mpsubnet5" #65: DPD: Warning: received 
old or duplicate R_U_THERE
Sep 29 15:47:41 rover1 pluto[6414]: "mpsubnet5" #67: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#65}
Sep 29 15:47:41 rover1 pluto[6414]: "mpsubnet5" #65: ignoring informational 
payload, type NO_PROPOSAL_CHOSEN
Sep 29 15:47:41 rover1 pluto[6414]: "mpsubnet5" #65: received and ignored 
informational message
Sep 29 15:47:43 rover1 pluto[6414]: "mpsubnet5" #65: DPD: Warning: received 
old or duplicate R_U_THERE
Sep 29 15:47:48 rover1 pluto[6414]: "mpsubnet5" #65: DPD: Warning: received 
old or duplicate R_U_THERE
Sep 29 15:47:53 rover1 pluto[6414]: "mpsubnet5" #65: received Delete SA 
payload: replace IPSEC State #54 in 10 seconds
Sep 29 15:47:53 rover1 pluto[6414]: "mpsubnet5" #65: ignoring Delete SA 
payload: PROTO_IPSEC_ESP SA(0x491b2645) not found (our SPI - bogus 
implementation)
Sep 29 15:47:53 rover1 pluto[6414]: "mpsubnet5" #65: received and ignored 
informational message
Sep 29 15:47:53 rover1 pluto[6414]: "mpsubnet5" #65: received Delete SA 
payload: deleting ISAKMP State #65
Sep 29 15:48:13 rover1 pluto[6414]: "mpsubnet5" #70: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+UP {using isakmp#68}
Sep 29 15:48:51 rover1 pluto[6414]: "mpsubnet5" #67: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our 
first Quick Mode message: perhaps peer likes no proposal
Sep 29 15:49:23 rover1 pluto[6414]: "mpsubnet5" #70: max number of 
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our 
first Quick Mode message: perhaps peer likes no proposal

Cheers,

Lew

More information about the Users mailing list