[Openswan Users] RE : help with ipsec + zywall

reza issanyr at olympecti.fr
Wed Jun 10 02:26:07 EDT 2009 

Ok, I have the problem right now.

The tunnel seems to be down on the vpn box side :
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,1409,36} trans={0,1409,540} attrs={0,1409,360} 
000  
000 "techvar": 192.168.2.0/24===xxxx...xxxx===192.168.1.0/24; erouted HOLD; eroute owner: #0
000 "techvar":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "techvar":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
000 "techvar":   policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS; prio: 24,24; interface: eth1; encap: esp;
000 "techvar":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "techvar":   ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "techvar":   ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000  
000 #2822: "techvar":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0)
000 #2824: "techvar":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 35s; lastdpd=-1s(seq in:0 out:0)


un 10 08:08:47 zola pluto[3014]: initiate on demand from 192.168.2.1:0 to 192.168.1.1:0 proto=0 state: fos_start because: acquire
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: initiating Main Mode
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: received Vendor ID payload [Dead Peer Detection]
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: ignoring unknown Vendor ID payload [625027749d5ab97f5616c1602765cf480a3b7d0b]
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: I did not send a certificate because I do not have one.
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: Main mode peer ID is ID_IPV4_ADDR: 'xxxxxxxxx'
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2824: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+PFS {using isakmp#2823}
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: received and ignored informational message
Jun 10 08:08:47 zola pluto[3014]: "techvar" #2823: received Delete SA payload: deleting ISAKMP State #2823
Jun 10 08:08:47 zola pluto[3014]: packet from xxxxxxxxx:500: received and ignored informational message
Jun 10 08:08:57 zola pluto[3014]: "techvar" #2820: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal

On the router side the logs tell that "[SA] No proposal chosen", but in the vpn state, I can see that the vpn is connected.
I have to disconnect using the hangup button to re-build the tunnel :

000 #2826: "techvar":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28526s; newest IPSEC; eroute owner
000 #2826: "techvar" esp.540ef5ea at xxxxx esp.23f623e6 at xxxx tun.0 at 217.128.239.227 tun.0 at xxxxxx
000 #2825: "techvar":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3325s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)

root at xxx /etc > ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=38.4 ms

In the router config, I have :
---------- IKE Setup ----------

Authentication Method: Pre-Shared Key

Phase 1 - Negotiation Mode= Main
        Authentication= preShareKey
        Key= xxxxxxxxxx
          Encryption Algorithm= 3DES   Authentication Algorithm= MD5
          SA Life Time (Seconds)= 86400   Key Group= DH2

 
ras> ipsec ipsecDisplay 1
---------- IPSec Setup ----------
Index #= 1     Active= Yes   Multi Pro = No    Protocol= 0 Global SW= 0xA
Bound IKE 1     NailUp = Yes  Netbios = No   Name= vpn

ControlPing = No  LogControlPing = No  Control ping address = 0.0.0.0
Local:  Addr Type= SUBNET      Port Start= 0         End= N/A
        IP Addr Start= 192.168.1.0          Mask= 255.255.255.0

Remote: Addr Type= SUBNET      Port Start= 0         End= N/A
        IP Addr Start= 192.168.2.0          Mask= 255.255.255.0

Enable Replay Detection= Yes   Key Management= IKE
Phase 2 - Active Protocol= ESP
          Encryption Algorithm= 3DES   Authentication Algorithm= MD5
          SA Life Time (Seconds)= 86400
          Encapsulation= Tunnel   Perfect Forward Secrecy (PFS)= DH2

Any idea ?

---
Reza ISSANY
Ingénieur Système
ZA Les Playes - Jean Monnet Sud
Avenue de Lisbonne
83500 La Seyne sur Mer



-------- Message d'origine--------
De: Paul Wouters [mailto:paul at xelerance.com]
Date: mer. 6/10/2009 02:45
À: reza
Cc: users at openswan.org
Objet : Re: [Openswan Users] help with ipsec + zywall
 
On Tue, 9 Jun 2009, reza wrote:

> I can get workinf the tunnel, but periodically (randomly), the tunnel
> crashes.
> 
> When I verify the status of this vpn connection, I can see that the
> tunnel is established,

Is the tunnel still established on both ends?

> but there is no traffic. I have to down my connection, hangup the zywall
> side (bouton hangup in admin panel),

You can try enabling dpd.

Without logs from the end that hangs up, there is nothing much we can tell
you.

Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090610/9e92b23a/attachment-0001.html

More information about the Users mailing list