[Openswan Users] phase2 every 2 min. WHY?? - tunnels goes to %trap

Agent Smith news8080 at yahoo.com
Fri Jun 12 11:48:40 EDT 2009


One of our remote site (openswan on corporate end, juniper firewalls on remote location with 0.0.0.0/0 as the encryption domain so ALL traffic takes the tunnel) complains that their connection goes down 10 times a day so I decided to take a close look and found that the phase2 goes on every 2 min. with them is that normal? 

Also, I sat in front of my pc while I had 'watch ipsec eroute | grep 1.1.1.1' and saw that tunnel goes to %trap at least 5 times in half hr. that I looked at it (comes right back up but enough for remote users to notice connectivity loss).

Any work around? I tried ikelifetime=1h and keylife=1h. phase 2 as seen for /var/log/secure logs happens every 2 min. and phase 1 every one hr (I see 'ISAKMP SA established' in /var/log/secure every hr.) and it seems that no matter what I do, I can't control the phase 2 renegotiation. The other end is Juniper SSG 320M firewall with no way to configure timeouts but I was able to find out what the timeouts are. 


some logs may help..


# REMOTE SIDE TIMEOUTS
resent-tmr 1025 lifetime 28800 lt-recv 3600 nxt_rekey 28490 cert-expire 0

# OPENSWAN SIDE /var/log/secure logs
Jun 12 11:08:56 openswan-4 pluto[14508]: PSK-REMOTE1 #262987: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a540f <0xf4132b2b xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:10:46 openswan-4 pluto[14508]: PSK-REMOTE1 #263012: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5410 <0xf4132b43 xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:12:36 openswan-4 pluto[14508]: PSK-REMOTE1 #263035: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5411 <0xf4132b59 xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:14:27 openswan-4 pluto[14508]: PSK-REMOTE1 #263058: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5412 <0xf4132b70 xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:16:30 openswan-4 pluto[14508]: PSK-REMOTE1 #263084: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5413 <0xf4132b8a xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:18:26 openswan-4 pluto[14508]: PSK-REMOTE1 #263106: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5414 <0xf4132b9f xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:20:16 openswan-4 pluto[14508]: PSK-REMOTE1 #263132: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5415 <0xf4132bb6 xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}
Jun 12 11:22:06 openswan-4 pluto[14508]: PSK-REMOTE1 #263157: STATE_QUICK_R2: IPsec SA established {ESP=>0xba6a5416 <0xf4132bcd xfrm=AES_128-HMAC_SHA1 NATD=no
ne DPD=none}


# CAT IPSEC.CONF
version 2.0     # conforms to second version of ipsec.conf specification

config setup
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        fragicmp=no
        overridemtu=1200
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16
        uniqueids=yes
        interfaces=%defaultroute

conn %default
        keyingtries=1
        auto=add
        disablearrivalcheck=no
        pfs=no
        ike=3des-md5,3des-sha1,aes128-md5,aes128-sha,aes256-md5
        esp=3des-md5,3des-sha1,aes128-md5,aes128-sha1,aes256-md5
        leftrsasigkey=%dnsondemand
        leftnexthop=%defaultroute
        rightrsasigkey=%dnsondemand
..
..

conn    PSK-REMOTE1
        type=tunnel
        authby=secret
        rekey=yes
        left=11.22.33.2
        leftsubnet=0.0.0.0/0
        right=12.12.12.12
        rightsubnet=1.1.1.1/24
        auto=start
        keyingtries=%forever

include /etc/ipsec.d/examples/no_oe.conf


# IPSEC --AUTO STATUS report

000 "PSK-REMOTE001": 0.0.0.0/0===11.22.33.1---11.22.33.2...12.12.12.12===1.1.1.1/24; erouted; eroute owner: #263380
000 "PSK-REMOTE001":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "PSK-REMOTE001":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "PSK-REMOTE001":   policy: PSK+ENCRYPT+TUNNEL; prio: 0,24; interface: eth0; encap: esp;
000 "PSK-REMOTE001":   newest ISAKMP SA: #263296; newest IPsec SA: #263380;
000 "PSK-REMOTE001":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2), AES_CBC(7)_128-MD5(1)-MODP1536(5), AES_CBC(7)_128-MD5(1)-MODP1024(2), AES_CBC(7)_128-SHA1(2)-MODP1536(5), AES_CBC(7)_128-SHA1(2)-MODP1024(2), AES_CBC(7)_256-MD5(1)-MODP1536(5), AES_CBC(7)_256-MD5(1)-MODP1024(2); flags=strict
000 "PSK-REMOTE001":   IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-MD5(1)_128-MODP1536(5), AES_CBC(7)_128-MD5(1)_128-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_256-MD5(1)_128-MODP1536(5), AES_CBC(7)_256-MD5(1)_128-MODP1024(2)
000 "PSK-REMOTE001":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "PSK-REMOTE001":   ESP algorithms wanted: 3DES(3)_000-MD5(1), 3DES(3)_000-SHA1(2), AES(12)_128-MD5(1), AES(12)_128-SHA1(2), AES(12)_256-MD5(1); flags=strict
000 "PSK-REMOTE001":   ESP algorithms loaded: 3DES(3)_000-MD5(1), 3DES(3)_000-SHA1(2), AES(12)_128-MD5(1), AES(12)_128-SHA1(2), AES(12)_256-MD5(1); flags=strict
000 "PSK-REMOTE001":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<N/A>
000 #263380: "PSK-REMOTE001":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3260s; newest IPSEC; eroute owner
000 #263380: "PSK-REMOTE001" esp.ba6a541f at 12.12.12.12 esp.f4132ca0 at 11.22.33.1 tun.7b025 at 12.12.12.12 tun.7b024 at 11.22.33.1
000 #263296: "PSK-REMOTE001":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2544s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0)



      


More information about the Users mailing list