[Openswan Users] intermittent failure to establish a VPN connection
Paul Wouters
paul at xelerance.com
Thu Aug 14 23:34:44 EDT 2008
On Wed, 13 Aug 2008, lesly dorval wrote:
> I have an intermittent problem where I am unable to create an openswan vpn tunnel between openswan and
> sonicwall using:
> /etc/init.d/ipsec restart
> ipsec whack --name Prod172 --xauthname or
> ipsec whack --name Prod172 --xauthname USERNAME --xauthpass PASSWORD --initiate
>
> The error message reads:
> someuser at wks_name:~$ sudo ipsec whack --name Prod172 --initiate
> 002 "Prod172" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
> 117 "Prod172" #2: STATE_QUICK_I1: initiate
> 010 "Prod172" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>
> There is also this seemingly interesting file descriptor error in /var/authlog shows:
> Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: XAUTH username requested, but no file descriptor available
> for prompt
Looks like you have rekey=yes. Xauth can't rekey if you supply
the password using whack. You can store the xauth password in
/etc/ipsec.secrets if your openswan is new enough.
Another work around is to pick (insane) long rekey times, and hope the
remote has a longer rekey time as well.
Paul
More information about the Users
mailing list