[Openswan Users] intermittent failure to establish a VPN connection

Paul Wouters paul at xelerance.com
Thu Aug 14 23:34:44 EDT 2008

On Wed, 13 Aug 2008, lesly dorval wrote:

> I have an intermittent problem where I am unable to create an openswan vpn tunnel  between openswan and
> sonicwall using:
> /etc/init.d/ipsec restart
> ipsec whack --name Prod172 --xauthname  or
> ipsec whack --name Prod172 --xauthname USERNAME --xauthpass PASSWORD --initiate
> The error message reads:
> someuser at wks_name:~$ sudo ipsec whack --name Prod172 --initiate
> 002 "Prod172" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+AGGRESSIVE {using isakmp#1}
> 117 "Prod172" #2: STATE_QUICK_I1: initiate
> 010 "Prod172" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> There is also this seemingly interesting file descriptor error in /var/authlog shows:
> Aug 13 13:46:24 wks_name pluto[12091]: "Prod172" #1: XAUTH username requested, but no file descriptor available
> for prompt

Looks like you have rekey=yes. Xauth can't rekey if you supply
the password using whack.  You can store the xauth password in
/etc/ipsec.secrets if your openswan is new enough.

Another work around is to pick (insane) long rekey times, and hope the
remote has a longer rekey time as well.


More information about the Users mailing list