[Openswan Users] STATE_MAIN_R3
Dmitry Melekhov
dm at belkam.com
Thu Jan 31 06:25:24 EST 2008
Paul Wouters пишет:
> On Thu, 31 Jan 2008, Dmitry Melekhov wrote:
>
>
>> Sometimes (very rarely) I have following with openswan 2.4.9 :
>>
>> On one side
>>
>> # ipsec whack --status | grep k183
>> 000 "k183": 192.168.200.241...192.168.200.242; erouted; eroute owner: #24286
>> 000 "k183": srcip=unset; dstip=unset; srcup=ipsec _updown;
>> dstup=ipsec _updown;
>> 000 "k183": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
>> rekey_fuzz: 100%; keyingtries: 0
>> 000 "k183": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,32;
>> interface: eth1:3; encap: esp;
>> 000 "k183": newest ISAKMP SA: #24293; newest IPsec SA: #24286;
>> 000 "k183": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000 #24286: "k183":500 STATE_QUICK_R2 (IPsec SA established);
>> EVENT_SA_REPLACE in 1000s; newest IPSEC; eroute owner
>> 000 #24286: "k183" used 7s ago; esp.f0777ee6 at 192.168.200.242
>> esp.24e24f0f at 192.168.200.241 comp.267a at 192.168.200.242
>> comp.1f6 at 192.168.200.241 tun.5e13 at 192.168.200.242 tun.5e12 at 192.168.200.241
>> 000 #24293: "k183":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established);
>> EVENT_SA_REPLACE in 1270s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>>
>>
>> And on another side all is OK.
>>
>> # ipsec whack --status | grep k183
>> 000 "k183": 192.168.200.242...192.168.200.241; erouted; eroute owner: #621
>> 000 "k183": srcip=unset; dstip=unset; srcup=ipsec _updown;
>> dstup=ipsec _updown;
>> 000 "k183": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s;
>> rekey_fuzz: 100%; keyingtries: 0
>> 000 "k183": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 32,32;
>> interface: eth0; encap: esp;
>> 000 "k183": newest ISAKMP SA: #622; newest IPsec SA: #621;
>> 000 "k183": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1536
>> 000 #621: "k183":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
>> EVENT_SA_REPLACE in 260s; newest IPSEC; eroute owner
>> 000 #621: "k183" used 23s ago; esp.24e24f0f at 192.168.200.241
>> esp.f0777ee6 at 192.168.200.242 comp.1f6 at 192.168.200.241
>> comp.267a at 192.168.200.242 tun.1270 at 192.168.200.241 tun.126f at 192.168.200.242
>> 000 #622: "k183":500 STATE_MAIN_I4 (ISAKMP SA established);
>> EVENT_SA_REPLACE in 496s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)
>>
>
> I am not sure I'm seeing a problem?
>
>
>> I restart connection with ipsec auto --down/--up.
>>
>
> So no packets flow?
>
>
It works after down/up.
>> But could you tell me what is STATE_MAIN_R3 and why can I get such problem?
>>
>
> MR3 is Main mode Responder state 3. It looks like it is doing a rekey of
> the phase 1 (isakmp). Regardless of that phase1, if phase2 is still valid,
> then it should still be sending and receiving packets.
>
But there is no packets flow :-(
This is a problem...
More information about the Users
mailing list