[Openswan Users] Dead of ispec connection

Peter McGill petermcgill at goco.net
Fri Sep 28 10:57:54 EDT 2007 

What are you connecting to at the other side of the tunnel?
Openswan or something else?
What do the logs there say?
The other ipsec router seems to be telling your side to disconnect.
See the Delete SA requests...
Why is it doing that?
There should be an indication in the logs on it's side.

It could be caused by an unstable internet connection.
Try adding Dead Peer Detection if you can.
It looks like the other side is advertising DPD capability.
DPD needs to be enabled on both sides to work.
Look in the man ipsec.conf page for dpd*.
Ie)
	dpddelay=30
	dpdtimeout=120
	dpdaction=restart

If the remote side is not using openswan it could also be mismatched keylife settings.
Make sure your ikelifetime and keylife match that of the other side, openswan defaults to:
	ikelifetime=1h # 3600s
	keylife=8h # 28800s
Some other vendors use different values, and this has been known to cause problems.


Peter McGill
 

> -----Original Message-----
> From: users-bounces at openswan.org 
> [mailto:users-bounces at openswan.org] On Behalf Of Sasa
> Sent: September 28, 2007 7:42 AM
> To: users at openswan.org
> Subject: Re: [Openswan Users] Dead of ispec connection
> 
> Hi, I apologise for my insistence but the problem that I have 
> described is 
> very difficult to overcome,
> thanks again !
> 
> ------
>    Salvatore.
> 
> 
> 
> ----- Original Message ----- 
> From: "Sasa" <sasa at shoponweb.it>
> To: <users at openswan.org>
> Sent: Saturday, September 22, 2007 7:52 PM
> Subject: [Openswan Users] Dead of ispec connection
> 
> 
> > Hi, I use openswan-2.4.4 (but also with 2.4.9) with natt 
> and klips patch 
> > on
> > kernel 2.6 and I have a problem with connection 
> site-to-site, my problem 
> > is
> > that after that the ipsec tunnel is inactived for more 
> hours (for example
> > after night or after break for lunch) the ipsec connecton 
> is dead and in 
> > log
> > file I have:
> >
> > Sep 18 16:02:59 fw2 pluto[2580]: packet from 80.23.x.y:500: 
> Informational
> > Exchange is for an unknown (expired?) SA
> > Sep 18 16:03:08 fw2 pluto[2580]: "portrm" #6: received 
> Delete SA payload:
> > deleting ISAKMP State #6
> > Sep 18 16:03:08 fw2 pluto[2580]: packet from 80.23.x.y:500: 
> received and
> > ignored informational message
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: initiating 
> Main Mode to
> > replace #8
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: ignoring 
> unknown Vendor ID
> > payload [4f455a7e4261425d725c705f]
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: received 
> Vendor ID payload
> > [Dead Peer Detection]
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: transition from state
> > STATE_MAIN_I1 to state STATE_MAIN_I2
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: 
> STATE_MAIN_I2: sent MI2,
> > expecting MR2
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: I did not 
> send a certificate
> > because I do not have one.
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: transition from state
> > STATE_MAIN_I2 to state STATE_MAIN_I3
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: 
> STATE_MAIN_I3: sent MI3,
> > expecting MR3
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: Main mode peer ID is
> > ID_IPV4_ADDR: '80.23.x.y'
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: transition from state
> > STATE_MAIN_I3 to state STATE_MAIN_I4
> > Sep 18 16:34:46 fw2 pluto[2580]: "portrm" #9: 
> STATE_MAIN_I4: ISAKMP SA
> > established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 
> prf=oakley_md5
> > group=modp1536}
> > Sep 18 16:49:34 fw2 pluto[2580]: packet from 80.23.x.y:500: 
> Informational
> > Exchange is for an unknown (expired?) SA
> > Sep 18 16:53:43 fw2 pluto[2580]: "portrm" #9: ignoring 
> Delete SA payload:
> > PROTO_IPSEC_ESP SA(0x7e3952af) not found (maybe expired)
> > Sep 18 16:53:43 fw2 pluto[2580]: "portrm" #9: received and ignored
> > informational message
> > Sep 18 16:54:23 fw2 pluto[2580]: "portrm" #9: ignoring 
> Delete SA payload:
> > PROTO_IPSEC_ESP SA(0x7e3952b0) not found (maybe expired)
> >
> > ..after this I must restart ipsec and the ipsec connection 
> is well again.
> > My ipsec.conf is:
> >
> > config setup
> > interfaces="ipsec0=eth0"
> > conn %default
> > authby=rsasig
> > conn portrm
> > auto=start
> > pfs=yes
> > left=80.23.x.y
> > leftsubnet=192.168.0.0/24
> > leftnexthop=80.23.x.w
> > # RSA 2192 bits   fw4 Fri Mar 31 14:24:23 2006
> > leftrsasigkey=0sAQP...
> > #sede right roma
> > right=195.110.z.k
> > rightsubnet=192.168.1.0/24
> > rightnexthop=195.110.z.j
> > # RSA 2192 bits   fw2   Fri Mar 31 14:35:35 2006
> > rightrsasigkey=0sAQOE...
> > include /etc/ipsec.d/examples/no_oe.conf
> >
> > Thanks.
> >
> > ------
> >   Salvatore.
> >
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan:
> > 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155
> > 
> 
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-294632
> 7?n=283155

More information about the Users mailing list