[Openswan Users] R: rekeing problem openswan to zyxel

Enrico Piccini Piccini at colliniconsulting.it
Tue Dec 22 04:57:18 EST 2009 

Hello Paul!

Here i follow some logs... the rekeying seems fine, but packets for 2/3 minutes does not pass!
The remote peer is a Zyxel Prestige 661H, i tried both with MD5, SHA1, PFS yes or no, but nothing change!

THank you!

Dec 22 08:53:58 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: initiating Main Mode to replace #285
Dec 22 08:53:59 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: ignoring unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Dec 22 08:53:59 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 22 08:53:59 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 22 08:54:00 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 22 08:54:00 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 22 08:54:00 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: Main mode peer ID is ID_IPV4_ADDR: '88.57.253.81'
Dec 22 08:54:00 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 22 08:54:00 Hub pluto[3185]: "Bacchi-EuropartFC2" #292: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Dec 22 08:54:00 Hub pluto[3185]: "Bacchi-EuropartFC2" #293: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #286 {using isakmp#292 msgid:7d193e41 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 22 08:54:02 Hub pluto[3185]: "Bacchi-EuropartFC2" #293: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=7d193e41
Dec 22 08:54:02 Hub pluto[3185]: "Bacchi-EuropartFC2" #293: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 22 08:54:02 Hub pluto[3185]: "Bacchi-EuropartFC2" #293: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6d7648b5 <0x6d5c8ab7 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}

-----Messaggio originale-----
Da: Paul Wouters [mailto:paul at xelerance.com] 
Inviato: lunedì 21 dicembre 2009 15.28
A: Enrico Piccini
Cc: users at openswan.org
Oggetto: Re: [Openswan Users] rekeing problem openswan to zyxel

On Wed, 16 Dec 2009, Enrico Piccini wrote:

> the problem is that every hour (3600 seconds) the zyxel calls the rekeing and, for 2/3 minutes, the tunnels
> stop passing traffic. then without any operations, evething works fine for another hour. then the same problem
> after 60 minutes.

Is this phase1 or phase2 rekey?

Tunnels should overlap during rekey, so there is no time when all tunnels
are down. So either the IPsec SA is expired before rekey is finished, or
the zyxcel is mistakenly dropping traffic.

But I would have to see some logs to be able to say more.

Paul

More information about the Users mailing list