[Openswan Users] Ipsec auto --up still hangs sometimes

Greg Scott GregScott at InfraSupportEtc.com
Mon Dec 8 07:50:07 EST 2008 

It seemed best to open a new thread for this issue.  I couldn't help
myself - I had to reproduce the hang problem I ran across a few minutes
ago.  

Here's the situation.  Janesville has 2 LANs, one named
JanesvilleCheetah that normally has an IPSEC Openswan tunnel, the other
named JanesvillePNT that normally routes differently.  

These tunnels all connect to the HQ site.  JanesvilleCheetah stays up
all the time, JanesvillePNT is supposed to come up and down as needed.  

The HQ Openswan firewall is now running this version:

[root at lme-fw2 ipsec.d]# ipsec version
Linux Openswan U2.6.14/K2.6.25-14.fc9.i686 (netkey)
See `ipsec --copyright' for copyright information.
[root at lme-fw2 ipsec.d]#

Here is the condition to reproduce the problem:

In Janesville, the JanesvilleCheetah tunnel is up and running.
The JanesvillePNT tunnel is specifically ***not*** loaded.  

>From the HQ Openswan firewall, when I do ipsec auto --add and then ipsec
auto --up -- but without doing anything in Janesville, then the whack at
HQ still hangs.  It should eventually return with an error, but it
doesn't.  It hangs. 


[root at lme-fw2 ipsec.d]# ipsec auto --down JanesvillePNT-Everywhere
[root at lme-fw2 ipsec.d]# ipsec auto --delete JanesvillePNT-Everywhere
000 "JanesvillePNT-Everywhere": request to delete a unrouted policy with
netkey kernel --- experimental
[root at lme-fw2 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere
000 initiating all conns with alias='JanesvillePNT-Everywhere'
021 no connection named "JanesvillePNT-Everywhere"
[root at lme-fw2 ipsec.d]# ipsec auto --add JanesvillePNT-Everywhere
[root at lme-fw2 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere
104 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I1: initiate
003 "JanesvillePNT-Everywhere" #22: ignoring unknown Vendor ID payload
[4f455f5d7b764b67436f4f49]
003 "JanesvillePNT-Everywhere" #22: received Vendor ID payload [Dead
Peer Detection]
003 "JanesvillePNT-Everywhere" #22: received Vendor ID payload [RFC
3947] method set to=109
106 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I2: sent MI2, expecting
MR2
003 "JanesvillePNT-Everywhere" #22: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected
108 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I3: sent MI3, expecting
MR3
003 "JanesvillePNT-Everywhere" #22: we require peer to have ID
'@janesvillepnt.local', but peer declares '@janesvillecheetah.local'
218 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I3:
INVALID_ID_INFORMATION

-----> (Long pause here until I pressed CTRL/C) <-------

^C[root at lme-fw2 ipsec.d]# ipsec auto --delete JanesvillePNT-Everywhere
[root at lme-fw2 ipsec.d]#

- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081208/61728584/attachment-0001.html

More information about the Users mailing list