[Openswan Users] Dead of ispec connection

Sasa sasa at shoponweb.it
Sat Sep 22 13:52:00 EDT 2007 

Hi, I use openswan-2.4.4 (but also with 2.4.9) with natt and klips patch on 
kernel 2.6 and I have a problem with connection site-to-site, my problem is 
that after that the ipsec tunnel is inactived for more hours (for example 
after night or after break for lunch) the ipsec connecton is dead and in log 
file I have:

Sep 18 16:02:59 fw2 pluto[2580]: packet from 80.23.x.y:500: Informational 
Exchange is for an unknown (expired?) SA
Sep 18 16:03:08 fw2 pluto[2580]: "portrm" #6: received Delete SA payload: 
deleting ISAKMP State #6
Sep 18 16:03:08 fw2 pluto[2580]: packet from 80.23.x.y:500: received and 
ignored informational message
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: initiating Main Mode to 
replace #8
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: ignoring unknown Vendor ID 
payload [4f455a7e4261425d725c705f]
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: received Vendor ID payload 
[Dead Peer Detection]
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: transition from state 
STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: STATE_MAIN_I2: sent MI2, 
expecting MR2
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: I did not send a certificate 
because I do not have one.
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: transition from state 
STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: STATE_MAIN_I3: sent MI3, 
expecting MR3
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: Main mode peer ID is 
ID_IPV4_ADDR: '80.23.x.y'
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: transition from state 
STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: STATE_MAIN_I4: ISAKMP SA 
established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 
group=modp1536}
Sep 18 16:49:34 fw2 pluto[2580]: packet from 80.23.x.y:500: Informational 
Exchange is for an unknown (expired?) SA
Sep 18 16:53:43 fw2 pluto[2580]: "portrm" #9: ignoring Delete SA payload: 
PROTO_IPSEC_ESP SA(0x7e3952af) not found (maybe expired)
Sep 18 16:53:43 fw2 pluto[2580]: "portrm" #9: received and ignored 
informational message
Sep 18 16:54:23 fw2 pluto[2580]: "portrm" #9: ignoring Delete SA payload: 
PROTO_IPSEC_ESP SA(0x7e3952b0) not found (maybe expired)

..after this I must restart ipsec and the ipsec connection is well again.
My ipsec.conf is:

config setup
interfaces="ipsec0=eth0"
conn %default
authby=rsasig
conn portrm
auto=start
pfs=yes
left=80.23.x.y
leftsubnet=192.168.0.0/24
leftnexthop=80.23.x.w
# RSA 2192 bits   fw4 Fri Mar 31 14:24:23 2006
leftrsasigkey=0sAQP...
#sede right roma
right=195.110.z.k
rightsubnet=192.168.1.0/24
rightnexthop=195.110.z.j
# RSA 2192 bits   fw2   Fri Mar 31 14:35:35 2006
rightrsasigkey=0sAQOE...
include /etc/ipsec.d/examples/no_oe.conf

Thanks.

------
   Salvatore.

More information about the Users mailing list