[Openswan Users] after IPsec SA established , the tunnel drop immediately
魏汝垚
wwwrryy at 163.com
Tue Aug 18 02:14:56 EDT 2009
hi~ all
I have do a host-to-host tunnel between two linux box .
the confiure file is like this:
# basic configuration
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn tunnelipsec
type=tunnel
authby=secret
left=192.168.1.2
#leftsubnet=10.69.1.0/24
right=192.168.1.172
#rightsubnet=10.7.3.0/24
#esp=3des-md5
#keyexchange=ike
#pfs=no
auto=start
after IPsec start,the log show this:
Mar 12 02:32:18 pluto[884]: Starting Pluto (Openswan Version 2.6.22; Vendor ID OElj@]rTMBuM) pid:884
Mar 12 02:32:18 pluto[884]: Setting NAT-Traversal port-4500 floating to off
Mar 12 02:32:18 pluto[884]: port floating activation criteria nat_t=0/port_float=1
Mar 12 02:32:18 pluto[884]: including NAT-Traversal patch (Version 0.6c) [disabled]
Mar 12 02:32:18 pluto[884]: using /dev/urandom as source of random entropy
Mar 12 02:32:18 pluto[884]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Mar 12 02:32:18 pluto[884]: starting up 1 cryptographic helpers
Mar 12 02:32:18 pluto[894]: using /dev/urandom as source of random entropy
Mar 12 02:32:18 pluto[884]: started helper pid=894 (fd:6)
Mar 12 02:32:18 pluto[884]: Using Linux 2.6 IPsec interface code on 2.6.20.lzrt.v1.1 (experimental code)
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): Activating <NULL>: Ok (ret=0)
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Mar 12 02:32:19 pluto[884]: ike_alg_add(): ERROR: Algorithm already exists
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Mar 12 02:32:19 pluto[884]: ike_alg_add(): ERROR: Algorithm already exists
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Mar 12 02:32:19 pluto[884]: ike_alg_add(): ERROR: Algorithm already exists
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Mar 12 02:32:19 pluto[884]: ike_alg_add(): ERROR: Algorithm already exists
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): WARNING: enc alg=0 not found in constants.c:oakley_enc_names
Mar 12 02:32:19 pluto[884]: ike_alg_add(): ERROR: Algorithm already exists
Mar 12 02:32:19 pluto[884]: ike_alg_register_enc(): Activating <NULL>: FAILED (ret=-17)
Mar 12 02:32:19 pluto[884]: myid malformed: empty string ""
Mar 12 02:32:19 pluto[884]: Changed path to directory '/etc/ipsec.d/cacerts'
Mar 12 02:32:19 pluto[884]: Changed path to directory '/etc/ipsec.d/aacerts'
Mar 12 02:32:19 pluto[884]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Mar 12 02:32:19 pluto[884]: Changing to directory '/etc/ipsec.d/crls'
Mar 12 02:32:19 pluto[884]: Warning: empty directory
Mar 12 02:32:19 pluto[884]: added connection description "tunnelipsec"
Mar 12 02:32:19 pluto[884]: listening for IKE messages
Mar 12 02:32:19 pluto[884]: adding interface eth0/eth0 192.168.1.2:500
Mar 12 02:32:19 pluto[884]: adding interface lo/lo 127.0.0.1:500
Mar 12 02:32:19 pluto[884]: loading secrets from "/etc/ipsec.secrets"
Mar 12 02:32:20 pluto[884]: "tunnelipsec" #1: initiating Main Mode
Mar 12 02:32:20 pluto[884]: "tunnelipsec" #1: ignoring unknown Vendor ID payload [4f456a7d637357765a5c7b63]
Mar 12 02:32:20 pluto[884]: "tunnelipsec" #1: received Vendor ID payload [Dead Peer Detection]
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: received Vendor ID payload [CAN-IKEv2]
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.172'
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:b4d41079 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 12 02:32:21 pluto[884]: "tunnelipsec" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa8856576 <0xe9010903 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
=======here,the IPsec SA established
=======but the tunnel drop immediately
/ $ Mar 12 02:32:31 pluto[884]: packet from 192.168.1.172:500: ignoring unknown Vendor ID payload [4f456a7d637357765a5c7b63]
Mar 12 02:32:31 pluto[884]: packet from 192.168.1.172:500: received Vendor ID payload [Dead Peer Detection]
Mar 12 02:32:31 pluto[884]: "tunnelipsec" #3: responding to Main Mode
Mar 12 02:32:31 pluto[884]: "tunnelipsec" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 12 02:32:31 pluto[884]: "tunnelipsec" #3: STATE_MAIN_R1: sent MR1, expecting MI2
piMar 12 02:32:32 pluto[884]: "tunnelipsec" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 12 02:32:32 pluto[884]: "tunnelipsec" #3: STATE_MAIN_R2: sent MR2, expecting MI3
nMar 12 02:32:32 pluto[884]: "tunnelipsec" #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.172'
Mar 12 02:32:32 pluto[884]: "tunnelipsec" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 12 02:32:32 pluto[884]: "tunnelipsec" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
/ $ Mar 12 02:32:40 pluto[884]: "tunnelipsec" #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Mar 12 02:32:57 pluto[884]: "tunnelipsec" #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Mar 12 02:33:31 pluto[884]: packet from 192.168.1.172:500: ignoring unknown Vendor ID payload [4f456a7d637357765a5c7b63]
Mar 12 02:33:31 pluto[884]: packet from 192.168.1.172:500: received Vendor ID payload [Dead Peer Detection]
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: responding to Main Mode
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.172'
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 12 02:33:31 pluto[884]: "tunnelipsec" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Mar 12 02:33:40 pluto[884]: "tunnelipsec" #4: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Mar 12 02:33:57 pluto[884]: "tunnelipsec" #4: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Mar 12 02:34:30 pluto[884]: packet from 192.168.1.172:500: ignoring unknown Vendor ID payload [4f456a7d637357765a5c7b63]
Mar 12 02:34:30 pluto[884]: packet from 192.168.1.172:500: received Vendor ID payload [Dead Peer Detection]
Mar 12 02:34:30 pluto[884]: "tunnelipsec" #5: responding to Main Mode
Mar 12 02:34:30 pluto[884]: "tunnelipsec" #5: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 12 02:34:30 pluto[884]: "tunnelipsec" #5: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 12 02:34:31 pluto[884]: "tunnelipsec" #5: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 12 02:34:31 pluto[884]: "tunnelipsec" #5: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 12 02:34:31 pluto[884]: "tunnelipsec" #5: Main mode peer ID is ID_IPV4_ADDR: '192.168.1.172'
Mar 12 02:34:31 pluto[884]: "tunnelipsec" #5: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 12 02:34:31 pluto[884]: "tunnelipsec" #5: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
Mar 12 02:34:39 pluto[884]: "tunnelipsec" #5: retransmitting in response to duplicate packet; already STATE_MAIN_R3
Mar 12 02:34:56 pluto[884]: "tunnelipsec" #5: retransmitting in response to duplicate packet; already STATE_MAIN_R3
what happen to this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090818/27fc459a/attachment-0001.html
More information about the Users
mailing list