[Openswan Users] crash tunnel host-to-subnet

Den brusok at gmail.com
Thu Oct 11 05:07:13 EDT 2007 

Hi.
I have problem with 1 VPN connection.
I need VPN connection between 192.168.0.0/24 and 2.2.2.2.
192.168.0.0/24===1.1.1.1---1.1.1.1.11..INTERNET..2.2.2.2
VPN server(1.1.1.1) crashes often.

The last DEBUG messages(plutodebug=all) states about 'conn A-B' before
1.1.1.1 crash.

VPN server 1.1.1.1(openswan 2.4.9):
conn A-B
        type=tunnel
        compress=yes
        auto=start
        authby=rsasig
        auth=esp
        esp=3des-md5
        pfs=yes
        leftid=@A_B
        left=1.1.1.1
        leftnexthop=1.1.1.1.11
        leftsubnet=192.168.0.0/24
        leftrsasigkey=...
        rightid=@B_A
        right=2.2.2.2
        rightrsasigkey=...

VPN server 2.2.2.2(openswan 2.4.7)
conn A-B
        type=tunnel
        compress=yes
        auto=start
        authby=rsasig
        auth=esp
        esp=3des-md5
        pfs=yes
        leftid=@B_A
        left=2.2.2.2
        leftrsasigkey=...
        rightid=@A_B
        right=1.1.1.1
        rightnexthop=1.1.1.1.11
        rightsubnet=192.168.0.0/24
        rightrsasigkey=...

I don't know why there are some strings with '(IPsec SA established)'.

000 "A-B": 192.168.0.0/24===1.1.1.1[@A_B]---1.1.1.1.11..2.2.2.2[@B_A];
erouted; eroute owner: #40
000 "A-B":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec
_updown;
000 "A-B":   ike_life: 3840s; ipsec_life: 28800s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0
000 "A-B":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,32;
interface: eth1; encap: esp;
000 "A-B":   newest ISAKMP SA: #35; newest IPsec SA: #40;
000 "A-B":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
000 "A-B":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "A-B":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "A-B":   ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000 #40: "A-B":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 28251s; newest IPSEC; eroute owner
000 #40: "A-B" used 222s ago; esp.e8caf0de at 2.2.2.2 esp.4030d46a at 1.1.1.1
tun.1018 at 2.2.2.2 tun.1016 at 1.1.1.1
000 #39: "A-B":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE
in 28243s
000 #39: "A-B" esp.e8caf0dd at 2.2.2.2 esp.4030d469 at 1.1.1.1 tun.1017 at 2.2.2.2
tun.1015 at 1.1.1.1
000 #35: "A-B":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
EVENT_SA_REPLACE in 3239s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
000 #38: "A-B":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27906s
000 #38: "A-B" esp.e8caf0df at 2.2.2.2 esp.4030d468 at 1.1.1.1 tun.1014 at 2.2.2.2
tun.1013 at 1.1.1.1
000 #37: "A-B":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 2641s; lastdpd=-1s(seq in:0 out:0)

I think that problem is in routing table:
1.1.1.1>ip route show | grep 2.2.2.2
2.2.2.2 via 1.1.1.11 dev ipsec0

1.1.1.1 VPN server:
IP traffic go to 2.2.2.2 through dev ipsec0.
But  traffic go from 2.2.2.2 through eth0.

How can I resolve my problem? change routing? or ipsec.conf?
Thank you!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071011/11d26947/attachment.html

More information about the Users mailing list