[Openswan Users] IPSec/L2TP with Mac OS X drops connection after 1 hour
Kevin Arunski
kevin.arunski at netwitness.com
Mon Jul 20 08:20:43 EDT 2009
On Mon, 2009-07-20 at 00:39 -0400, Paul Wouters wrote:
> On Sat, 18 Jul 2009, Kevin J. Arunski wrote:
>
> > From: Kevin J. Arunski <kevin.arunski at netwitness.com>
> > To: users at openswan.org
> > Subject: [Openswan Users] IPSec/L2TP with Mac OS X drops connection after 1
> > hour
> >
> > I'm using Openswan in a roadwarrior setup for IPsec/L2TP clients, and
> > it appears the IPsec SA is dropped at exactly the one hour mark when
> > Mac OS X or Windows Vista clients connect.
> >
> > I'm using openswan 2.4.15 because the 2.6.X versions don't seem to
> > work at all. I'm using NETKEY on kernel 2.6.18-128.1.10.el5.
> >
> > Here is the configuration:
> >
> > conn L2TP-PSK-NAT
> > authby=secret
> > pfs=no
> > auto=add
> > keyingtries=3
> > rekey=no
> > ikelifetime=8h
> > keylife=1h
> > type=transport
> > left=---.---.---.---
> > leftprotoport=17/1701
> > right=%any
> > rightprotoport=17/%any
> > rightsubnet=vhost:%no,%priv
> >
> >
> > After about ~50 minutes I see the following in my logs:
> >
> > Jul 18 15:11:21 localhost pluto[2049]: "L2TP-PSK-NAT"[5] W.X.Y.Z #8:
> > responding to Quick Mode {msgid:84e8d5a5}
> > Jul 18 15:11:21 localhost pluto[2049]: "L2TP-PSK-NAT"[5] W.X.Y.Z #8:
> > cannot install eroute -- it is in use for "L2TP-PSK-NAT"[2] W.X.Y.Z #4
>
> Do you have uniqueids=yes (or not entry at all, since it is the default)
> in "config setup" in ipsec.conf? Then this should not happen.
uniqueids is not set anywhere in the config, so it is using the default.
> I know there was a Windows bug where they started a completely new IKE
> instead of using Quickmode to re-key, but since I see "responding to Quick Mode"
> that does not seem to be the case here.
In this case right side is Mac OS X 10.5, which uses some variant of
racoon. I've seen similar behavior from Windows Vista and Windows 7,
but I don't have the logs handy to indicate if it's the same failure.
> > Then, a few minutes later:
> >
> >
> > Jul 18 15:16:21 localhost pluto[2049]: "L2TP-PSK-NAT"[5] W.X.Y.Z:
> > deleting connection "L2TP-PSK-NAT" instance with peer W.X.Y.Z
> > {isakmp=#0/ipsec=#0}
>
> That's the client side cleaning up after failure.
>
> > Jul 18 15:23:19 localhost pluto[2049]: "L2TP-PSK-NAT"[2] W.X.Y.Z #3:
> > ISAKMP SA expired (--dontrekey)
> > Jul 18 15:23:20 localhost pluto[2049]: "L2TP-PSK-NAT"[2] W.X.Y.Z #4:
> > IPsec SA expired (--dontrekey)
>
> And the SA that failed to rekey hit the expiration. Why they would both do that
> at the same time when you have ikelifetime <> keylife, I don't know.
>
> This might be a bug that's fixed in 2.6, but that won't help you know since you
> need 2.4.x for bug #1004. We're working on chasing it down, hopefully in a few
> days we can release a new 2.6.x
OK, anxiously awaiting that release. Failing that, if you can identify
the fix I would be willing to try to backport it to 2.4.x.
> Paul
More information about the Users
mailing list