[Openswan Users] Intermittent issue between Openswan and Sonicwall firewall
Andrew Schwartz
aschwartz at gmail.com
Fri Oct 24 22:48:55 EDT 2008
Hello. I'm running Openswan under Ubuntu, with an IPSec tunnel to a
SonicWall device (the remote device is not under my control). I've
got an issue where when the tunnel intermittently goes down it will
stay down until I run "ipsec auto --down [tunnelname]" then "ipsec
auto --up [tunnelname]".
Moreover, even that sometimes doesn't fix the problem. the ipsec auto
--up command sometimes will hang and eventually fail. So, if it
doesn't work after a second or so, I ctrl-c it and run the --down
followed by the --up command until it eventually works (usually on the
first or second attempt, sometimes the third).
Any thoughts on what the issue could be?
Much appreciated!
I don't know the details of the remote device, but my local device is
running Linux Openswan U2.4.9/K2.6.24-19-server. If it would help to
get the details of the remote device, I can try.
When I run "ipsec auto --up [tunnelname]" and it doesn't work this is
the eventual output:
104 [tunnelname] #4680: STATE_MAIN_I1: initiate
003 [tunnelname] #4680: ignoring unknown Vendor ID payload [5b362bc820f60003]
003 [tunnelname] #4680: received Vendor ID payload [RFC 3947] method set to=110
106 [tunnelname] #4680: STATE_MAIN_I2: sent MI2, expecting MR2
003 [tunnelname] #4680: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 [tunnelname] #4680: received Vendor ID payload [XAUTH]
003 [tunnelname] #4680: received Vendor ID payload [Dead Peer Detection]
003 [tunnelname] #4680: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected
108 [tunnelname] #4680: STATE_MAIN_I3: sent MI3, expecting MR3
004 [tunnelname] #4680: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 [tunnelname] #4681: STATE_QUICK_I1: initiate
010 [tunnelname] #4681: STATE_QUICK_I1: retransmission; will wait 20s
for response
010 [tunnelname] #4681: STATE_QUICK_I1: retransmission; will wait 40s
for response
031 [tunnelname] #4681: max number of retransmissions (2) reached
STATE_QUICK_I1. No acceptable response to our first Quick Mode
message: perhaps peer likes no proposal
000 [tunnelname] #4681: starting keying attempt 2 of an unlimited
number, but releasing whack
When successful I get:
104 [tunnelname] #4699: STATE_MAIN_I1: initiate
003 [tunnelname] #4699: ignoring unknown Vendor ID payload [5b362bc820f60003]
003 [tunnelname] #4699: received Vendor ID payload [RFC 3947] method set to=110
106 [tunnelname] #4699: STATE_MAIN_I2: sent MI2, expecting MR2
003 [tunnelname] #4699: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 [tunnelname] #4699: received Vendor ID payload [XAUTH]
003 [tunnelname] #4699: received Vendor ID payload [Dead Peer Detection]
003 [tunnelname] #4699: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected
108 [tunnelname] #4699: STATE_MAIN_I3: sent MI3, expecting MR3
004 [tunnelname] #4699: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 [tunnelname] #4700: STATE_QUICK_I1: initiate
004 [tunnelname] #4700: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x4d030ec2 <0x80c24f76 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}
Thanks!
Andrew
More information about the Users
mailing list