[Openswan Users] Key replaceing
Christian Herzberg
cherzberg at gmx.de
Tue Dec 4 17:49:46 EST 2007
Paul Wouters schrieb:
> On Tue, 4 Dec 2007, Christian Herzberg wrote:
>
>
>>>> The tunnel is working fine but after some time I get the following error messages to /var/log/messages
>>>>
>>>> Dec 2 20:18:32 linux-main pluto[1012]: "static_linksys_to_freeswan" #21: ignoring informational payload, type INVALID_MESSAGE_ID
>>>>
>>>>
>>> Looks like a rekey bug in the other end. Check its logs what it is expecting and what it is getting.
>>>
>>> Paul
>>>
>> Hi Paul,
>>
>> the other end is very quiet. The logs looks like this:
>>
>
> These two logs don't match up. The end that is sending the INVALID_MESSAGE_ID
> will log why it is sending that too. So you missed the right log message.
>
> Paul
>
>
>> 000 "TunnelA": srcip=unset; dstip=unset; srcup=ipsec _updown;
>> dstup=ipsec _updown;
>> 000 "TunnelA": ike_life: 28800s; ipsec_life: 1200s; rekey_margin: 60s;
>> rekey_fuzz: 100%; keyingtries: 5
>> 000 "TunnelA": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
>> interface: eth0;
>> 000 "TunnelA": dpd: action:restart; delay:30; timeout:120;
>> 000 "TunnelA": newest ISAKMP SA: #1; newest IPsec SA: #2;
>> 000 "TunnelA": IKE algorithms wanted: 5_000-1-2, flags=-strict
>> 000 "TunnelA": IKE algorithms found: 5_192-1_096-2,
>> 000 "TunnelA": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
>> 000 "TunnelA": ESP algorithms wanted: 3_000-1, flags=strict
>> 000 "TunnelA": ESP algorithms loaded: 3_000-1, flags=strict
>> 000 "TunnelA": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
>> 000 #2: "TunnelA":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 983s; newest IPSEC; eroute owner
>> 000 #2: "TunnelA" esp.12c09c54 at 192.168.178.9 esp.f7276212 at 192.168.178.90
>> tun.1002 at 192.168.178.9 tun.1001 at 192.168.178.90
>> 000 #1: "TunnelA":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 28564s; newest ISAKMP; lastdpd=4s(seq in:0 out:0)
>>
>> I can´t see any spezial.
>>
>> Any ideas?
>>
>> Thanks
>> Christian
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
>
Hi Paul,
here arte both logs from now.
right site:
Dec 4 23:44:39 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37605: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 4 23:44:39 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37605: received and ignored informational message
Dec 4 23:44:49 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37605: ignoring informational payload, type INVALID_MESSAGE_ID
Dec 4 23:44:49 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37605: received and ignored informational message
Dec 4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37700: max number of retransmissions (2) reached STATE_QUICK_I1
Dec 4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37700: starting keying attempt 33 of an unlimited number
Dec 4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37703: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #37700
{using isakmp#37605}
Dec 4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37605: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec 4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan"
#37605: received and ignored informational message
left site:
000 "TunnelA": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "TunnelA": ike_life: 28800s; ipsec_life: 1200s; rekey_margin: 60s;
rekey_fuzz: 100%; keyingtries: 5
000 "TunnelA": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "TunnelA": dpd: action:restart; delay:30; timeout:120;
000 "TunnelA": newest ISAKMP SA: #1; newest IPsec SA: #59;
000 "TunnelA": IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "TunnelA": IKE algorithms found: 5_192-1_096-2,
000 "TunnelA": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "TunnelA": ESP algorithms wanted: 3_000-1, flags=strict
000 "TunnelA": ESP algorithms loaded: 3_000-1, flags=strict
000 "TunnelA": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 #59: "TunnelA":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 214s; newest IPSEC; eroute owner
000 #59: "TunnelA" esp.2a564ba8 at 192.168.178.9
esp.f7276214 at 192.168.178.90 tun.1006 at 192.168.178.9 tun.1005 at 192.168.178.90
000 #1: "TunnelA":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 25550s; newest ISAKMP; lastdpd=1s(seq in:30489 out:0)
Thanks
Christian
More information about the Users
mailing list