[Openswan Users] STATE_MAIN_R3

Paul Wouters paul at xelerance.com
Thu Jan 31 06:18:39 EST 2008 

On Thu, 31 Jan 2008, Dmitry Melekhov wrote:

> Sometimes (very rarely) I have following with openswan 2.4.9 :
>
> On one side
>
> # ipsec whack  --status | grep k183
> 000 "k183": 192.168.200.241...192.168.200.242; erouted; eroute owner: #24286
> 000 "k183":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "k183":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "k183":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,32;
> interface: eth1:3; encap: esp;
> 000 "k183":   newest ISAKMP SA: #24293; newest IPsec SA: #24286;
> 000 "k183":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 #24286: "k183":500 STATE_QUICK_R2 (IPsec SA established);
> EVENT_SA_REPLACE in 1000s; newest IPSEC; eroute owner
> 000 #24286: "k183" used 7s ago; esp.f0777ee6 at 192.168.200.242
> esp.24e24f0f at 192.168.200.241 comp.267a at 192.168.200.242
> comp.1f6 at 192.168.200.241 tun.5e13 at 192.168.200.242 tun.5e12 at 192.168.200.241
> 000 #24293: "k183":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
> EVENT_SA_REPLACE in 1270s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>
>
> And on another side all is OK.
>
> # ipsec whack --status | grep k183
> 000 "k183": 192.168.200.242...192.168.200.241; erouted; eroute owner: #621
> 000 "k183":     srcip=unset; dstip=unset; srcup=ipsec _updown;
> dstup=ipsec _updown;
> 000 "k183":   ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
> rekey_fuzz: 100%; keyingtries: 0
> 000 "k183":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,32;
> interface: eth0; encap: esp;
> 000 "k183":   newest ISAKMP SA: #622; newest IPsec SA: #621;
> 000 "k183":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
> 000 #621: "k183":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 260s; newest IPSEC; eroute owner
> 000 #621: "k183" used 23s ago; esp.24e24f0f at 192.168.200.241
> esp.f0777ee6 at 192.168.200.242 comp.1f6 at 192.168.200.241
> comp.267a at 192.168.200.242 tun.1270 at 192.168.200.241 tun.126f at 192.168.200.242
> 000 #622: "k183":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 496s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)

I am not sure I'm seeing a problem?

> I restart connection with ipsec auto --down/--up.

So no packets flow?

> But could you tell me what is STATE_MAIN_R3 and why can I get such problem?

MR3 is Main mode Responder state 3. It looks like it is doing a rekey of
the phase 1 (isakmp). Regardless of that phase1, if phase2 is still valid,
then it should still be sending and receiving packets.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list