[Openswan Users] Key replaceing

Christian Herzberg cherzberg at gmx.de
Tue Dec 4 17:49:46 EST 2007 

Paul Wouters schrieb:
> On Tue, 4 Dec 2007, Christian Herzberg wrote:
>
>   
>>>> The tunnel is working fine but after some time I get the following error messages to /var/log/messages
>>>>
>>>> Dec  2 20:18:32 linux-main pluto[1012]: "static_linksys_to_freeswan" #21: ignoring informational payload, type INVALID_MESSAGE_ID
>>>>
>>>>         
>>> Looks like a rekey bug in the other end. Check its logs what it is expecting and what it is getting.
>>>
>>> Paul
>>>       
>> Hi Paul,
>>
>> the other end is very quiet. The logs looks like this:
>>     
>
> These two logs don't match up. The end that is sending the INVALID_MESSAGE_ID
> will log why it is sending that too. So you missed the right log message.
>
> Paul
>
>   
>> 000 "TunnelA":     srcip=unset; dstip=unset; srcup=ipsec _updown;
>> dstup=ipsec _updown;
>> 000 "TunnelA":   ike_life: 28800s; ipsec_life: 1200s; rekey_margin: 60s;
>> rekey_fuzz: 100%; keyingtries: 5
>> 000 "TunnelA":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
>> interface: eth0;
>> 000 "TunnelA":   dpd: action:restart; delay:30; timeout:120;
>> 000 "TunnelA":   newest ISAKMP SA: #1; newest IPsec SA: #2;
>> 000 "TunnelA":   IKE algorithms wanted: 5_000-1-2, flags=-strict
>> 000 "TunnelA":   IKE algorithms found:  5_192-1_096-2,
>> 000 "TunnelA":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
>> 000 "TunnelA":   ESP algorithms wanted: 3_000-1, flags=strict
>> 000 "TunnelA":   ESP algorithms loaded: 3_000-1, flags=strict
>> 000 "TunnelA":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
>> 000 #2: "TunnelA":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 983s; newest IPSEC; eroute owner
>> 000 #2: "TunnelA" esp.12c09c54 at 192.168.178.9 esp.f7276212 at 192.168.178.90
>> tun.1002 at 192.168.178.9 tun.1001 at 192.168.178.90
>> 000 #1: "TunnelA":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 28564s; newest ISAKMP; lastdpd=4s(seq in:0 out:0)
>>
>> I can´t see any spezial.
>>
>> Any ideas?
>>
>> Thanks
>> Christian
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>     
>
>   
Hi Paul,

here arte both logs from now.

right site:
Dec  4 23:44:39 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37605: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec  4 23:44:39 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37605: received and ignored informational message
Dec  4 23:44:49 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37605: ignoring informational payload, type INVALID_MESSAGE_ID
Dec  4 23:44:49 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37605: received and ignored informational message
Dec  4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37700: max number of retransmissions (2) reached STATE_QUICK_I1
Dec  4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37700: starting keying attempt 33 of an unlimited number
Dec  4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37703: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS to replace #37700 
{using isakmp#37605}
Dec  4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37605: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Dec  4 23:44:58 linux-main pluto[17971]: "static_linksys_to_freeswan" 
#37605: received and ignored informational message


left site:
000 "TunnelA":     srcip=unset; dstip=unset; srcup=ipsec _updown; 
dstup=ipsec _updown;
000 "TunnelA":   ike_life: 28800s; ipsec_life: 1200s; rekey_margin: 60s; 
rekey_fuzz: 100%; keyingtries: 5
000 "TunnelA":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; 
interface: eth0;
000 "TunnelA":   dpd: action:restart; delay:30; timeout:120;
000 "TunnelA":   newest ISAKMP SA: #1; newest IPsec SA: #59;
000 "TunnelA":   IKE algorithms wanted: 5_000-1-2, flags=-strict
000 "TunnelA":   IKE algorithms found:  5_192-1_096-2,
000 "TunnelA":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "TunnelA":   ESP algorithms wanted: 3_000-1, flags=strict
000 "TunnelA":   ESP algorithms loaded: 3_000-1, flags=strict
000 "TunnelA":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 #59: "TunnelA":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 214s; newest IPSEC; eroute owner
000 #59: "TunnelA" esp.2a564ba8 at 192.168.178.9 
esp.f7276214 at 192.168.178.90 tun.1006 at 192.168.178.9 tun.1005 at 192.168.178.90
000 #1: "TunnelA":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 25550s; newest ISAKMP; lastdpd=1s(seq in:30489 out:0)

Thanks
Christian

More information about the Users mailing list