[Openswan Users] Ipsec auto --up {tunnelname} hangs

Greg Scott GregScott at InfraSupportEtc.com
Sat Jun 21 01:51:00 EDT 2008


OK, yet another experiment.  
 
So far, I've tried starting the tunnel from the right side and the right
side whack hangs.  What about the left side?  The left side is running a
newer version of Openswan than the right side - what happens when the
left side tries to bring up the tunnel?  It turns out, the left side
behaves as expected.  It retries a few times, gives up, and returns back
to me.  It even gives me a status code I can test.  
 
The left side seems to behave correctly, while the right side hangs.  
 
[root at Janesville-fw1 ipsec.d]# ipsec auto --add JanesvillePNT-Everywhere
[root at Janesville-fw1 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere
104 "JanesvillePNT-Everywhere" #1538: STATE_MAIN_I1: initiate
003 "JanesvillePNT-Everywhere" #1538: ignoring unknown Vendor ID payload
[4f456e4d43757f784f704063]
003 "JanesvillePNT-Everywhere" #1538: received Vendor ID payload [Dead
Peer Detection]
003 "JanesvillePNT-Everywhere" #1538: received Vendor ID payload [RFC
3947] method set to=110
106 "JanesvillePNT-Everywhere" #1538: STATE_MAIN_I2: sent MI2, expecting
MR2
003 "JanesvillePNT-Everywhere" #1538: NAT-Traversal: Result using RFC
3947 (NAT-Traversal): no NAT detected
108 "JanesvillePNT-Everywhere" #1538: STATE_MAIN_I3: sent MI3, expecting
MR3
003 "JanesvillePNT-Everywhere" #1538: ignoring informational payload,
type INVALID_ID_INFORMATION
003 "JanesvillePNT-Everywhere" #1538: received and ignored informational
message
003 "JanesvillePNT-Everywhere" #1538: discarding duplicate packet;
already STATE_MAIN_I3
010 "JanesvillePNT-Everywhere" #1538: STATE_MAIN_I3: retransmission;
will wait 20s for response
003 "JanesvillePNT-Everywhere" #1538: ignoring informational payload,
type INVALID_ID_INFORMATION
003 "JanesvillePNT-Everywhere" #1538: received and ignored informational
message
003 "JanesvillePNT-Everywhere" #1538: discarding duplicate packet;
already STATE_MAIN_I3
010 "JanesvillePNT-Everywhere" #1538: STATE_MAIN_I3: retransmission;
will wait 40s for response
003 "JanesvillePNT-Everywhere" #1538: ignoring informational payload,
type INVALID_ID_INFORMATION
003 "JanesvillePNT-Everywhere" #1538: received and ignored informational
message
031 "JanesvillePNT-Everywhere" #1538: max number of retransmissions (2)
reached STATE_MAIN_I3.  Possible authentication failure: no acceptable
response to our first encrypted message
000 "JanesvillePNT-Everywhere" #1538: starting keying attempt 2 of an
unlimited number, but releasing whack
[root at Janesville-fw1 ipsec.d]#
[root at Janesville-fw1 ipsec.d]# echo $?
1

What's different?  
 
The left side is newer than the right side - the left side is running
2.4.9 and fc8, the right side is running 2.4.5 and fc6.  I have an
upgrade going into the right side, I just haven't put it in yet. The
right side will have fc9 and the Openswan version that comes with fc9 -
or maybe a newer one, I saw a posting about Openswan and fc9.  
 
The left side has exactly 2 tunnels with similar names.  The right side
has these same two tunnels, plus some others to different sites.  
 
That's pretty much it.  
 
- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080621/a94b520d/attachment-0001.html 


More information about the Users mailing list