[Openswan Users] openswan -> cisco 3080 :: 2 tunnels, the 2nd goes always down

Sebastien COUPPEY sebastien.couppey at zero9.it
Wed Jan 30 03:36:10 EST 2008 

Ciao,

I am still facing intermitent disconnection on the tunnel2. Last night
the 2nd tunnel was down for a while, and I can see the following
errors :

I have "INVALID_SPI" error on the con1 and as soon as I don t have the
error anymore on the con1, the con2 start working fine.


Jan 30 02:52:52 frw01 pluto[9461]: "milano-to-roma" #242883: received and ignored informational message
Jan 30 02:52:53 frw01 pluto[9461]: "milano-to-roma" #242883: ignoring informational payload, type INVALID_SPI
Jan 30 02:52:53 frw01 pluto[9461]: "milano-to-roma" #242883: received and ignored informational message
Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #242481 {using isakmp#242883}
Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: Dead Peer Detection (RFC 3706): enabled
Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 
Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x20d2da17 <0x1a5c6d15 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=enabled}


Does it speak to someone ? 
Did I do an error on the con1 ?

Thanks for any advice,



On Fri, Jan 25, 2008 at 09:57:15AM +0100, Sebastien COUPPEY wrote:
> Hello,
> 
> I have a 2 connections with :
> 
>   openswan -> cisco VPN 3080
> 
> however the 2nd connection goes always down and only restart after a
> while.
> according to the ipsec auto --status, it seems that the tunnel is UP
> as I can see :
> 
>  500 STATE_QUICK_I2 (sent QI2, IPsec SA established)
> 
> for both of the conns.
> 
> I tried :
>  - setup the lifetime on both sides
>  - enable the dpd detection (after the talks on IRC)
>  
> Here is my configuration :
> 
> 
> conn milano-to-roma
>     authby=secret
>     left=151.2.117.100
>     leftsubnet=10.0.1.0/27
>     leftnexthop=%defaultroute
>     right=223.120.147.100
>     rightsubnet=10.6.67.0/24
>     rightnexthop=%defaultroute
>     ikelifetime=3600
>     keylife=28800
>     ike=3des-sha1-modp1024
>     esp=3des-sha1
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=hold
>     auto=start
> 
> 
> conn milano-to-roma2
>     authby=secret
>     left=151.2.117.100
>     leftsubnet=10.0.1.0/27
>     leftnexthop=%defaultroute
>     right=223.120.147.100   
>     rightsubnet=137.243.194.192/26
>     rightnexthop=%defaultroute
>     ikelifetime=3600
>     keylife=28800
>     ike=3des-sha1-modp1024
>     esp=3des-sha1
>     dpddelay=30
>     dpdtimeout=120
>     dpdaction=hold
>     auto=start
> 
> 
> Did I forget something ?
> 
> 
> Thanks for any tips

More information about the Users mailing list