[Openswan Users] intermittent failure to establish a VPN connection

lesly dorval ladorval at yahoo.com
Wed Aug 13 15:05:55 EDT 2008 

I have an intermittent problem where I am unable to create an openswan vpn tunnel  between openswan and sonicwall using:
/etc/init.d/ipsec restart 
ipsec whack --name Prod172 --xauthname  or 
ipsec whack --name Prod172 --xauthname USERNAME --xauthpass PASSWORD --initiate

The error message reads: 
someuser at wks_name:~$ sudo ipsec whack --name Prod172 --initiate 
002 "Prod172" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
117 "Prod172" #2: STATE_QUICK_I1: initiate
010 "Prod172" #2: STATE_QUICK_I1: retransmission; will wait 20s for response

There is also this seemingly interesting file descriptor error in /var/authlog shows: 
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: XAUTH username requested, but no file descriptor available for prompt

Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: sending encrypted notification CERTIFICATE_UNAVAILABLE to x.x.x.x:4500

Below is relevant information about OS, kernel, Openswan version and the content of authlog for both a failed connection  and a successful one.  To successfully connect, just arrow up to run the very same command that may have failed previously.  One way to get a failed connection is to run /etc/init.d/ipsec restart and run the same command that had previously succeeded.

ipsec --version
Linux Openswan U2.4.9/K2.6.24-19-generic (netkey)
See `ipsec --copyright' for copyright information.

Linux wks_name 2.6.24-19-generic #1 SMP Fri Jul 11 21:01:46 UTC 2008 x86_64 GNU/Linux

**** Failed Login *****

Aug 13 13:46:24 wks_name pluto[12091]: loading secrets from "/etc/ipsec.secrets"
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: initiating Aggressive Mode #1, connection "Prod172"
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: ignoring unknown Vendor ID payload [404bf439522ca3f6]
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: ignoring unknown Vendor ID payload [5b362bc820f60006]
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: received Vendor ID payload [RFC 3947] method set to=110
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: received Vendor ID payload [Dead Peer Detection]
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: received Vendor ID payload [XAUTH]
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: Aggressive mode peer ID is ID_FQDN: '@x.x.x.x'
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: Aggressive mode peer ID is ID_FQDN: '@x.x.x.x'
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: Dead Peer Detection (RFC 3706): enabled
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: XAUTH username requested, but no file descriptor available for prompt
Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: sending encrypted notification CERTIFICATE_UNAVAILABLE to x.x.x.x:4500
Aug 13 13:46:34 wks_name pluto[12091]: "Prod172" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
Aug 13 13:46:34 wks_name pluto[12091]: "Prod172" #1: Informational Exchange message must be encrypted
+ _________________________ date
+
+ date
Wed Aug 13 13:47:00 EDT 2008



**** Successful Login ****

Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: initiating Aggressive Mode #13, connection "Prod172"
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: ignoring unknown Vendor ID payload [404bf439522ca3f6]
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: ignoring unknown Vendor ID payload [5b362bc820f60006]
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: received Vendor ID payload [RFC 3947] method set to=110
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: received Vendor ID payload [Dead Peer Detection]
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: received Vendor ID payload [XAUTH]
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: Aggressive mode peer ID is ID_FQDN: '@x.x.x.x'
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: Aggressive mode peer ID is ID_FQDN: '@x.x.x.x'
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: Dead Peer Detection (RFC 3706): enabled
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: XAUTH: Answering XAUTH challenge with user='USERNAME'
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: Dead Peer Detection (RFC 3706): enabled
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: XAUTH: Successfully Authenticated
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #13: Dead Peer Detection (RFC 3706): enabled
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #14: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#13}
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #14: Dead Peer Detection (RFC 3706): enabled
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #14: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 13 13:43:26 wks_name pluto[10903]: "Prod172" #14: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x3f39b2c8 <0x6a0aac99 xfrm=3DES_0-HMAC_SHA1 NATD=x.x.x.x:4500 DPD=enabled}
Aug 13 13:43:56 wks_name pluto[10903]: "Prod172" #14: DPD: Serious: could not find newest phase 1 state
+ _________________________ date
+
+ date
Wed Aug 13 13:44:46 EDT 2008




      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080813/ef977d15/attachment.html

More information about the Users mailing list