[Openswan Users] Phase 1 renegotiation issue
Langoleer
langoleer at gmail.com
Sat Feb 3 12:57:27 EST 2007
Hi,
I have been experimenting a problem in my test lab with re-negotiation
of the phase one. It takes about 3 or 4 minutes to establish the
connection after four or five attempts of re-negotiation of the phase
one. It seems that it begins to work when the Openswan discards or
deletes the current IPsec SA (see the logs below).
I appreciate if you can help with this.
-langoleer
This my scenario (The NAT Box is doing SNAT of my Gateway and DNAT so
the gateway for the roadwarriors is "192.168.1.1"):
Roadwarrior
192.168.1.11
|
|
192.168.1.1
NAT BOX
192.168.130.1
|
|
192.168.130.5
Gateway (Openswan)
200.200.200.1
|
|
200.200.200.2
Internal PC
CONFIGURATION
-------------------
conn D_JEDI01_0
leftcert="/etc/x509cert.der"
left="192.168.130.5"
keyingtries="3"
esp="3des-sha1"
authby="rsasig"
ikelifetime="480"
keyexchange"ike"
leftrsasigkey="%cert"
pfs="no"
leftsubnet="200.200.200.0/255.255.255.0"
keylife="240"
rightid="jedi01 at leia.com"
right="0.0.0.0"
auto="add"
compress="no"
type="tunnel"
ike="3des-sha-modp1536"
rightrsasigkey="%cert"
LOGS
---------
2007:02:02-19:06:10 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#29: received Delete SA payload: deleting ISAKMP State #29
2007:02:02-19:06:10 (none) pluto[21158]: packet from
192.168.1.11:4500: received and ignored informational message
2007:02:02-19:06:17 (none) pluto[21158]: packet from
192.168.1.11:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
2007:02:02-19:06:17 (none) pluto[21158]: packet from
192.168.1.11:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
2007:02:02-19:06:17 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: responding to Main Mode from unknown peer 192.168.1.11
2007:02:02-19:06:17 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2007:02:02-19:06:17 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: STATE_MAIN_R1: sent MR1, expecting MI2
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: ignoring unknown Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101031031302e332e3520...]
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: ignoring unknown Vendor ID payload [da8e937880010000]
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: received Vendor ID payload [Dead Peer Detection]
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: received Vendor ID payload [XAUTH]
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i
am NATed
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2007:02:02-19:06:19 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: STATE_MAIN_R2: sent MR2, expecting MI3
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: ignoring informational payload, type IPSEC_REPLAY_STATUS
2007:02:02-19:06:20 (none) pluto[21158]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: Main mode peer ID is ID_USER_FQDN: 'jedi01 at leia.com'
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: no crl from issuer "C=W, O=Leia, OU=Obi Wan, CN=Leia-Sub" found
(strict=no)
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: no crl from issuer "OU=Leia-Root, O=Leia, C=W, CN=Leia-Root"
found (strict=no)
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: I am sending my cert
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
2007:02:02-19:06:20 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: Dead Peer Detection (RFC 3706): enabled
2007:02:02-19:06:30 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#33: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
2007:02:02-19:06:33 (none) pluto[21158]: packet from
192.168.1.11:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
2007:02:02-19:06:33 (none) pluto[21158]: packet from
192.168.1.11:4500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
2007:02:02-19:06:33 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: responding to Main Mode from unknown peer 192.168.1.11
2007:02:02-19:06:33 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2007:02:02-19:06:33 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: STATE_MAIN_R1: sent MR1, expecting MI2
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: ignoring unknown Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101031031302e332e3520...]
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: ignoring unknown Vendor ID payload [da8e937880010000]
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: received Vendor ID payload [Dead Peer Detection]
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: received Vendor ID payload [XAUTH]
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i
am NATed
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2007:02:02-19:06:35 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: STATE_MAIN_R2: sent MR2, expecting MI3
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: ignoring informational payload, type IPSEC_REPLAY_STATUS
2007:02:02-19:06:37 (none) pluto[21158]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: Main mode peer ID is ID_USER_FQDN: 'jedi01 at leia.com'
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: no crl from issuer "C=W, O=Leia, OU=Obi Wan, CN=Leia-Sub" found
(strict=no)
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: no crl from issuer "OU=Leia-Root, O=Leia, C=W, CN=Leia-Root"
found (strict=no)
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: I am sending my cert
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
2007:02:02-19:06:37 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: Dead Peer Detection (RFC 3706): enabled
2007:02:02-19:06:47 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
2007:02:02-19:06:57 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#34: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
2007:02:02-19:07:10 (none) pluto[21158]: packet from 192.168.1.11:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2007:02:02-19:07:10 (none) pluto[21158]: packet from 192.168.1.11:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
2007:02:02-19:07:10 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: responding to Main Mode from unknown peer 192.168.1.11
2007:02:02-19:07:10 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2007:02:02-19:07:10 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: STATE_MAIN_R1: sent MR1, expecting MI2
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: ignoring unknown Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101031031302e332e3520...]
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: ignoring unknown Vendor ID payload [da8e937880010000]
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: received Vendor ID payload [Dead Peer Detection]
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: received Vendor ID payload [XAUTH]
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i
am NATed
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2007:02:02-19:07:11 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: STATE_MAIN_R2: sent MR2, expecting MI3
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: ignoring informational payload, type IPSEC_REPLAY_STATUS
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2007:02:02-19:07:13 (none) pluto[21158]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: Main mode peer ID is ID_USER_FQDN: 'jedi01 at leia.com'
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: no crl from issuer "C=W, O=Leia, OU=Obi Wan, CN=Leia-Sub" found
(strict=no)
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: no crl from issuer "OU=Leia-Root, O=Leia, C=W, CN=Leia-Root"
found (strict=no)
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: I am sending my cert
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2007:02:02-19:07:13 (none) pluto[21158]: | NAT-T: new mapping
192.168.1.11:500/4500)
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
2007:02:02-19:07:13 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: Dead Peer Detection (RFC 3706): enabled
2007:02:02-19:07:23 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
2007:02:02-19:07:32 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#35: retransmitting in response to duplicate packet; already
STATE_MAIN_R3
2007:02:02-19:07:36 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#32: IPsec SA expired (--dontrekey)
2007:02:02-19:07:39 (none) pluto[21158]: packet from 192.168.1.11:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
2007:02:02-19:07:39 (none) pluto[21158]: packet from 192.168.1.11:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
2007:02:02-19:07:39 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: responding to Main Mode from unknown peer 192.168.1.11
2007:02:02-19:07:39 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
2007:02:02-19:07:39 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: STATE_MAIN_R1: sent MR1, expecting MI2
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: ignoring unknown Vendor ID payload
[47bbe7c993f1fc13b4e6d0db565c68e501020101020101031031302e332e3520...]
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: ignoring unknown Vendor ID payload [da8e937880010000]
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: received Vendor ID payload [Dead Peer Detection]
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: received Vendor ID payload [XAUTH]
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i
am NATed
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
2007:02:02-19:07:41 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: STATE_MAIN_R2: sent MR2, expecting MI3
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: ignoring informational payload, type IPSEC_REPLAY_STATUS
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: ignoring informational payload, type IPSEC_INITIAL_CONTACT
2007:02:02-19:07:42 (none) pluto[21158]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: Main mode peer ID is ID_USER_FQDN: 'jedi01 at leia.com'
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: no crl from issuer "C=W, O=Leia, OU=Obi Wan, CN=Leia-Sub" found
(strict=no)
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: no crl from issuer "OU=Leia-Root, O=Leia, C=W, CN=Leia-Root"
found (strict=no)
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: I am sending my cert
2007:02:02-19:07:42 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
2007:02:02-19:07:43 (none) pluto[21158]: | NAT-T: new mapping
192.168.1.11:500/4500)
2007:02:02-19:07:43 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}
2007:02:02-19:07:43 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#36: Dead Peer Detection (RFC 3706): enabled
2007:02:02-19:07:44 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#37: responding to Quick Mode {msgid:da0ed8b9}
2007:02:02-19:07:44 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#37: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
2007:02:02-19:07:44 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#37: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting
QI2
2007:02:02-19:07:47 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#37: Dead Peer Detection (RFC 3706): enabled
2007:02:02-19:07:47 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#37: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
2007:02:02-19:07:47 (none) pluto[21158]: "D_JEDI01_0"[4] 192.168.1.11
#37: STATE_QUICK_R2: IPsec SA established {ESP=>0xdbc97c3e <0x4510b75c
xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=enabled}
More information about the Users
mailing list