[Openswan Users] VPN stops working after a week

bas at brijn.nu bas at brijn.nu
Tue Feb 27 12:45:29 EST 2007 

Hello,

Some basic info:

[IPSEC/FW] --[eth]---[provider router]----[Cisco 3005 Concentrator]

[IPSEC/FW]
  Distro: centos-release-4-4.2
  Kernel: 2.6.9-42.0.3.EL
  IPSEC version: Linux Openswan 2.CVSHEAD (klips)

I only manage the firewall running the ipsec code. I connect to the  
other end (Cisco) without problems. We run telnet access to an AS/400  
over it. But after roughly a week (sometimes more, sometimes less) the  
VPN stops working.

I tried to ping iwht large packets to see if there is a fragmentation problem:
   ping -l 5000 172.16.7.13
This is from a windows host in our subnet. Ping going thru OK.

When the VPN was down I tried some tests from my workstation  
(192.168.70.29) to the AS.400 (172.16.7.13)

> Nov 16 08:24:43 CAGSFW001 kernel: vrmr: LOG IN=eth0 OUT=ipsec0
> SRC=192.168.70.29 DST=172.16.7.13 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=4281 DF PROTO=TCP SPT=3067 DPT=23 WINDOW=64512 RES=0x00 SYN URGP=0

> Nov 16 08:24:43 CAGSFW001 kernel: vrmr: LOG IN= OUT=lo
> SRC=192.168.70.1
> DST=192.168.70.1 LEN=76 TOS=0x00 PREC=0xC0 TTL=64 ID=40795 PROTO=ICMP
> TYPE=3 CODE=4 [SRC=192.168.70.1 DST=172.16.7.13 LEN=48 TOS=0x00  
> PREC=0x00 TTL=127 ID=4281 DF PROTO=TCP SPT=3067 DPT=23 WINDOW=64512  
> RES=0x00 SYN URGP=0 ] MTU=0

This seems to be a icm error: 3, code 4. That would be  
(http://www.iana.org/assignments/icmp-parameters):
	3     Destination Unreachable
		4  Fragmentation Needed and Don't Fragment was Set

Within the square brackets is the original traffic (telnet packet from  
my workstation to as/400, as expected)

This is repeated for all packets that I try to send.

My large ping test is not a good test it seems? Ahy idea whu this  
problems only triggers after about a week, and why it's then for ALL  
packets and not just large ones.

Any suggestions on what to try?

Thank you very much for your time!
Bas

------------[ipsec.conf]--------------
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # enable this if you see "failed to find any available worker"
         nhelpers=0
         nat_traversal=no
         interfaces=%defaultroute
         klipsdebug=noneconn wmg
         type=           tunnel
         keyingtries=    0
         authby=         secret
         left=           <IP FW>
         leftnexthop=    <GW FW>
         leftsubnet=     192.168.70.0/24
         leftsourceip=   192.168.70.1
         right=          <Ip CISCO>
         rightnexthop=   <GW CISCO>
         rightsubnet=    172.16.7.13/32
         ikelifetime=    8h
         pfs=            no
         auto=           start

         plutodebug=none
         uniqueids=yes
         plutowait=no

More information about the Users mailing list