[Openswan Users] Please help
Jon James
jonj at claimtools.ca
Fri Mar 20 14:24:29 EDT 2009
I have over 150 Openswan ipsec vpn tunnels from various parts of North
America all connecting to a Fortigate 310b firewall/router
The majority of the tunnels come up fine. The problem is that after an hour
or so some (not all) of the tunnel drop for some unknown reason.
I have created a script on each client that checks to see if the tunnel is
up and if it is not, the tunnel is to be reestablished which works fine.
The problem is that I am trying to run backup scripts through these tunnels
and there up and down which is ruining my backups.
I have been fighting this problem for many days and I have spent countless
hours searching forum posts to no avail.
FORTIGATE CONFIG
PHASE1
3DES-SHA1
3DES-MD5
AES128-MD5
DIFFE GROUPS 2&5
KEYLIFE 86400s
NAT-TRANSVERSAL ENABLED
KEEP ALIVE FREQ 10
DPD ENABLE
XAUTH SERVER = YES
PHASE2
3DES-SHA1
3DES-MD5
AES128-MD5
REPLAY DETECTION ENABLED
PFS ENABLED
DIFFE GROUPS 5
KEYLIFE 86400s
AUTO KEEP ALIVE ENABLED
DCHPIPSEC DISABLED
OPENSWAN IPSEC.CONF
config setup
nat_traversal=yes
protostack=netkey
conn home
#CLIENT
leftxauthclient=XXXXXX
leftxauthusername=XXXXXX
leftsourceip=VAR2
left=%defaultroute
#REMOTEHOST
rightxauthserver=yes
right=XXX.XXX.XXX.XXX
rightsubnet=192.168.80.0/24
#GENERAL
authby=secret
auto=start
compress=no
type=tunnel
pfs=yes
forceencaps=yes
#PHASE1
ike=3des-sha1,3des-md5
keylife=86400s
#PHASE2
phase2=esp
phase2alg=3des-sha1,3des-md5;modp1536
ikelifetime=86400s
#REKEYING
rekey=yes
rekeymargin=15m
Here is the tunnel being brought up successfully
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: initiating Main Mode
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: received Vendor ID
payload [RFC 3947] method set to=109
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: received Vendor ID
payload [Dead Peer Detection]
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: enabling possible
NAT-traversal with method 4
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): both are NATed
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: Main mode peer ID is
ID_IPV4_ADDR: 'xxx.xxx.xxx.xxxx'
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1536}
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: XAUTH: Answering XAUTH
challenge with user='xxxxx'
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: XAUTH: Successfully
Authenticated
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 20 08:46:43 claimtools pluto[15697]: "home" #1: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Mar 20 08:46:43 claimtools pluto[15697]: "home" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:a0bec906
proposal=3DES(3)_192-SHA1(2)_160, 3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1536}
Mar 20 08:46:44 claimtools pluto[15697]: "home" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I
Mar 20 08:46:44 claimtools pluto[15697]: "home" #2: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP/NAT=>0x8b5c8037 <0x3bcfa844
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=xxx.xxx.xxx.xxx:4500 DPD=none}
Tunnel was fine until now
Here is the failure point
Mar 20 10:35:57 claimtools pluto[15697]: "home" #1: DPD Info: received old
or duplicate R_U_THERE
Mar 20 10:36:57 claimtools pluto[15697]: "home" #1: DPD Info: received old
or duplicate R_U_THERE
Mar 20 10:37:57 claimtools pluto[15697]: "home" #1: received Delete SA
payload: replace IPSEC State #2 in 10 seconds
Mar 20 10:37:57 claimtools pluto[15697]: "home" #1: received and ignored
informational message
Mar 20 10:37:57 claimtools pluto[15697]: "home" #1: received Delete SA
payload: deleting ISAKMP State #1
Mar 20 10:37:57 claimtools pluto[15697]: packet from XXX.XXX.XXX.XXX:4500:
received and ignored informational message
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: initiating Main Mode
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: received Vendor ID
payload [RFC 3947] method set to=109
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: received Vendor ID
payload [Dead Peer Detection]
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: enabling possible
NAT-traversal with method 4
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_MAIN_I2: sent MI2,
expecting MR2
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): both are NATed
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_MAIN_I3: sent MI3,
expecting MR3
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: Main mode peer ID is
ID_IPV4_ADDR: '70.67.129.119'
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1536}
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: XAUTH: Answering XAUTH
challenge with user='XXXXX'
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: XAUTH: Successfully
Authenticated
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: transition from state
STATE_XAUTH_I0 to state STATE_XAUTH_I1
Mar 20 10:38:07 claimtools pluto[15697]: "home" #3: STATE_XAUTH_I1: XAUTH
client - awaiting CFG_set
Mar 20 10:38:07 claimtools pluto[15697]: "home" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#3 msgid:2bec3343
proposal=3DES(3)_192-SHA1(2)_160, 3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1536}
Mar 20 10:38:07 claimtools pluto[15697]: "home" #4: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 20 10:38:07 claimtools pluto[15697]: "home" #4: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP/NAT=>0x8b5c8071 <0xf6c24685
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=XXX.XXX.XXX.XXX:4500 DPD=none}
Any ideas?
Jon James
ClaimTools Solutions
(250)713-8185
1-888-989-8388
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090320/20fd9223/attachment-0001.html
More information about the Users
mailing list