[Openswan Users] Tunnel goes down for no reason

Roland Plüss roland at rptd.ch
Tue Sep 11 07:05:15 EDT 2007


> On Tue, 11 Sep 2007, Roland Plüss wrote:
>
>   
>>> Both ends need to support and enable DPD for it to get enabled on an SA.
>>>
>>>       
>> I did enable it on both ends by copy pasting the three lines over so
>> they are identical.
>>     
>
> Did you reload/restart the connection?
>   
Yes I did.
> Show us the logs where the DPD vendorid packets are sent on both ends?
>   
===
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: received Vendor ID
payload [Openswan (this version) 2.4.7  PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: received Vendor ID
payload [Dead Peer Detection]
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: I did not send a
certificate because I do not have one.
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 11 12:53:51 [pluto] "openswan-epserver" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Sep 11 12:53:52 [pluto] "openswan-epserver" #1: Main mode peer ID is
ID_FQDN: '@****'
Sep 11 12:53:52 [pluto] "openswan-epserver" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 11 12:53:52 [pluto] "openswan-epserver" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192
prf=oakley_md5 group=modp1536}
Sep 11 12:53:52 [pluto] "openswan-epserver" #1: Dead Peer Detection (RFC
3706): enabled
Sep 11 12:53:52 [pluto] "openswan-epserver" #2: initiating Quick Mode
RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Sep 11 12:53:52 [pluto] "openswan-epserver" #2: Dead Peer Detection (RFC
3706): enabled
Sep 11 12:53:52 [pluto] "openswan-epserver" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 11 12:53:52 [pluto] "openswan-epserver" #2: STATE_QUICK_I2: sent
QI2, IPsec SA established {ESP=>**** <**** xfrm=AES_0-HMAC_SHA1
IPCOMP=>**** <**** NATD=none DPD=enabled}
Sep 11 12:54:10 [pluto] "openswan-epserver" #1: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(****) not found (maybe expired)
Sep 11 12:54:10 [pluto] "openswan-epserver" #1: received and ignored
informational message
===

According to this DPD should be enabled. It's a bit random
unfortunately. The last two days the tunnel had been up all time but
before he went down and got stuck. Chances are though this is not DPD
problem. Like mentioned I have a dynamic IP on one end ( for some
unknown time, maybe I can fix this once ) and therefore I had to use an
URL for this end-point.
Can it be that OpenSwan chokes if the IP of one peer in an active tunnel
suddenly changes IP?
Should DPD not detect the tunnel failing and doing a restart?
If so is the "URL" IP retrieved again or is it stuck with the old one?

-- 
Yours sincerely
Plüss Roland

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20070911/43043098/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20070911/43043098/attachment.bin 


More information about the Users mailing list