[Openswan Users] openswan -> cisco 3080 :: 2 tunnels, the 2nd goes always down
Sebastien COUPPEY
sebastien.couppey at zero9.it
Thu Jan 31 10:13:54 EST 2008
I also observed that I have some
"took too long -- replacing phase 1"
before the tunnel 2 restart.
this log happens 6 times a day a least, then the tunnel restart.
It there any specific feature which would reject a rekey ?
Thanks
On Wed, Jan 30, 2008 at 09:36:10AM +0100, Sebastien COUPPEY wrote:
> Ciao,
>
> I am still facing intermitent disconnection on the tunnel2. Last night
> the 2nd tunnel was down for a while, and I can see the following
> errors :
>
> I have "INVALID_SPI" error on the con1 and as soon as I don t have the
> error anymore on the con1, the con2 start working fine.
>
>
> Jan 30 02:52:52 frw01 pluto[9461]: "milano-to-roma" #242883: received and ignored informational message
> Jan 30 02:52:53 frw01 pluto[9461]: "milano-to-roma" #242883: ignoring informational payload, type INVALID_SPI
> Jan 30 02:52:53 frw01 pluto[9461]: "milano-to-roma" #242883: received and ignored informational message
> Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP to replace #242481 {using isakmp#242883}
> Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: Dead Peer Detection (RFC 3706): enabled
> Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jan 30 02:53:08 frw01 pluto[9461]: "milano-to-roma2" #242888: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x20d2da17 <0x1a5c6d15 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=enabled}
>
>
> Does it speak to someone ?
> Did I do an error on the con1 ?
>
> Thanks for any advice,
>
>
>
> On Fri, Jan 25, 2008 at 09:57:15AM +0100, Sebastien COUPPEY wrote:
> > Hello,
> >
> > I have a 2 connections with :
> >
> > openswan -> cisco VPN 3080
> >
> > however the 2nd connection goes always down and only restart after a
> > while.
> > according to the ipsec auto --status, it seems that the tunnel is UP
> > as I can see :
> >
> > 500 STATE_QUICK_I2 (sent QI2, IPsec SA established)
> >
> > for both of the conns.
> >
> > I tried :
> > - setup the lifetime on both sides
> > - enable the dpd detection (after the talks on IRC)
> >
> > Here is my configuration :
> >
> >
> > conn milano-to-roma
> > authby=secret
> > left=151.2.117.100
> > leftsubnet=10.0.1.0/27
> > leftnexthop=%defaultroute
> > right=223.120.147.100
> > rightsubnet=10.6.67.0/24
> > rightnexthop=%defaultroute
> > ikelifetime=3600
> > keylife=28800
> > ike=3des-sha1-modp1024
> > esp=3des-sha1
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=hold
> > auto=start
> >
> >
> > conn milano-to-roma2
> > authby=secret
> > left=151.2.117.100
> > leftsubnet=10.0.1.0/27
> > leftnexthop=%defaultroute
> > right=223.120.147.100
> > rightsubnet=137.243.194.192/26
> > rightnexthop=%defaultroute
> > ikelifetime=3600
> > keylife=28800
> > ike=3des-sha1-modp1024
> > esp=3des-sha1
> > dpddelay=30
> > dpdtimeout=120
> > dpdaction=hold
> > auto=start
> >
> >
> > Did I forget something ?
> >
> >
> > Thanks for any tips
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
--
Tecnologia Maintenance
********************************************************
Zero9 - P.zza Indro Montanelli, 20
20099 Sesto San Giovanni (Mi)
Tel +39 02 91437121
Fax + 39 02 91437122
www.zero9.it
This message and the enclosed documents contains strictly confidential
information.
If you are not the intended recipient, the storage, copying or distribution
of the document and/or the information contained therein is unlawful.
If you received this by mistake, kindly inform the following phone number:
+39.02.91437121
More information about the Users
mailing list