[Openswan Users] Intermittent issue between Openswan and Sonicwall firewall

Andrew Schwartz aschwartz at gmail.com
Fri Oct 24 13:32:01 EDT 2008


I just ran the ipsec auto --up [tunnelname] command and got a bit more
output.  It is now:

104 "guava" #4699: STATE_MAIN_I1: initiate
003 "guava" #4699: ignoring unknown Vendor ID payload [5b362bc820f60003]
003 "guava" #4699: received Vendor ID payload [RFC 3947] method set to=110
106 "guava" #4699: STATE_MAIN_I2: sent MI2, expecting MR2
003 "guava" #4699: ignoring unknown Vendor ID payload [404bf439522ca3f6]
003 "guava" #4699: received Vendor ID payload [XAUTH]
003 "guava" #4699: received Vendor ID payload [Dead Peer Detection]
003 "guava" #4699: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected
108 "guava" #4699: STATE_MAIN_I3: sent MI3, expecting MR3
004 "guava" #4699: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
117 "guava" #4700: STATE_QUICK_I1: initiate
004 "guava" #4700: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x4d030ec2 <0x80c24f76 xfrm=3DES_0-HMAC_SHA1 NATD=none DPD=none}

the last two lines weren't posted in my previous post.  thanks.

On Fri, Oct 24, 2008 at 10:29 AM, Andrew Schwartz <aschwartz at gmail.com> wrote:
> Hello.  I'm running Openswan under Ubuntu, with an IPSec tunnel to a
> SonicWall device (the remote device is not under my control).  I've
> got an issue where when the tunnel intermittently goes down it will
> stay down until I run "ipsec auto --down [tunnelname]" then "ipsec
> auto --up [tunnelname]".
>
> Moreover, even that sometimes doesn't fix the problem.  the ipsec auto
> --up command sometimes will hang and eventually fail.  So, if it
> doesn't work after a second or so, I ctrl-c it and run the --down
> followed by the --up command until it eventually works (usually on the
> first or second attempt, sometimes the third).
>
> Any thoughts on what the issue could be?
> Much appreciated!
>
> I don't know the details of the remote device, but my local device is
> running Linux Openswan U2.4.9/K2.6.24-19-server.  If it would help to
> get the details of the remote device, I can try.
>
> When I run "ipsec auto --up [tunnelname]" and it doesn't work this is
> the eventual output:
>
> 104 [tunnelname] #4680: STATE_MAIN_I1: initiate
> 003 [tunnelname] #4680: ignoring unknown Vendor ID payload [5b362bc820f60003]
> 003 [tunnelname] #4680: received Vendor ID payload [RFC 3947] method set to=110
> 106 [tunnelname] #4680: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 [tunnelname] #4680: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 [tunnelname] #4680: received Vendor ID payload [XAUTH]
> 003 [tunnelname] #4680: received Vendor ID payload [Dead Peer Detection]
> 003 [tunnelname] #4680: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): no NAT detected
> 108 [tunnelname] #4680: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 [tunnelname] #4680: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
> 117 [tunnelname] #4681: STATE_QUICK_I1: initiate
> 010 [tunnelname] #4681: STATE_QUICK_I1: retransmission; will wait 20s
> for response
> 010 [tunnelname] #4681: STATE_QUICK_I1: retransmission; will wait 40s
> for response
> 031 [tunnelname] #4681: max number of retransmissions (2) reached
> STATE_QUICK_I1.  No acceptable response to our first Quick Mode
> message: perhaps peer likes no proposal
> 000 [tunnelname] #4681: starting keying attempt 2 of an unlimited
> number, but releasing whack
>
> When successful I get:
>
> 104 [tunnelname] #4692: STATE_MAIN_I1: initiate
> 003 [tunnelname] #4692: ignoring unknown Vendor ID payload [5b362bc820f60003]
> 003 [tunnelname] #4692: received Vendor ID payload [RFC 3947] method set to=110
> 106 [tunnelname] #4692: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 [tunnelname] #4692: ignoring unknown Vendor ID payload [404bf439522ca3f6]
> 003 [tunnelname] #4692: received Vendor ID payload [XAUTH]
> 003 [tunnelname] #4692: received Vendor ID payload [Dead Peer Detection]
> 003 [tunnelname] #4692: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal): no NAT detected
> 108 [tunnelname] #4692: STATE_MAIN_I3: sent MI3, expecting MR3
> 004 [tunnelname] #4692: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp1024}
>
> Thanks!
>
> Andrew
>


More information about the Users mailing list