[Openswan Users] psk IPSec vpn

Jon James jonj at claimtools.ca
Fri Mar 27 14:16:09 EDT 2009 

I have numerous Openswan IPSec tunnels all leading to a Fortigate
vpn/firewall/router.

All of the Openswan boxes are using the exact same ipsec.conf files except
for the leftsourceip

The tunnels always come up initially when brought up with auto=start or by
using whack.

The problem lies in the rekeying I have taken two machines for examples one
rekeys successfully while the other does not.

I have set the key lives to be very short for testing purposes.

The Fortigate is dictating the keylifes. It is set to phase1=160s and
phase2=120s

 

This is the ipsec.conf file

 

config setup

        nat_traversal=yes

        protostack=netkey

conn home

#CLIENT

 leftsourceip=1.80.0.19

 left=%defaultroute

#REMOTEHOST

 right=xxx.xxx.xxx.xxx

 rightsubnet=192.168.80.0/24

#GENERAL

 keyexchange=ike

 auth=esp

 auto=start

 authby=secret

 pfs=yes

 compress=no

 

 

One of the two test boxes works great and rekeys properly all the time, the
other is the problem

 

Here is the log of bringing up the tunnel by hand on the problematic box

 

002 "home" #40: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW
{using isakmp#36 msgid:efcd033c proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP1536}

117 "home" #40: STATE_QUICK_I1: initiate

002 "home" #42: initiating Main Mode

104 "home" #42: STATE_MAIN_I1: initiate

003 "home" #42: received Vendor ID payload [RFC 3947] method set to=109 

003 "home" #42: received Vendor ID payload [Dead Peer Detection]

002 "home" #42: enabling possible NAT-traversal with method 4

002 "home" #42: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2

106 "home" #42: STATE_MAIN_I2: sent MI2, expecting MR2

003 "home" #42: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed

002 "home" #42: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3

108 "home" #42: STATE_MAIN_I3: sent MI3, expecting MR3

002 "home" #42: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'

002 "home" #42: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4

004 "home" #42: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1536}

002 "home" #43: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW
{using isakmp#42 msgid:9d6ffe19 proposal=defaults
pfsgroup=OAKLEY_GROUP_MODP1536}

117 "home" #43: STATE_QUICK_I1: initiate

003 "home" #43: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=9d6ffe19

002 "home" #43: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2

004 "home" #43: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x4db44103 <0xd1e49108 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none
DPD=none}

 

 

 

Here is the rekeying

 

Mar 27 11:44:55 claimtools pluto[2726]: "home" #44: IPsec SA expired
(LATEST!)

Mar 27 11:44:34 claimtools pluto[2726]: "home" #45: max number of
retransmissions (2) reached STATE_MAIN_R

Mar 27 11:43:24 claimtools pluto[2726]: "home" #45: STATE_MAIN_R2: sent MR2,
expecting MI3

Mar 27 11:43:24 claimtools pluto[2726]: "home" #45: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2

Mar 27 11:43:24 claimtools pluto[2726]: "home" #45: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): both are NATed

Mar 27 11:43:24 claimtools pluto[2726]: "home" #45: STATE_MAIN_R1: sent MR1,
expecting MI2

Mar 27 11:43:24 claimtools pluto[2726]: "home" #45: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1

Mar 27 11:43:24 claimtools pluto[2726]: "home" #45: responding to Main Mode

Mar 27 11:43:24 claimtools pluto[2726]: packet from 70.67.129.119:4500:
received Vendor ID payload [Dead Peer Detection]

Mar 27 11:43:24 claimtools pluto[2726]: packet from 70.67.129.119:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]

Mar 27 11:43:24 claimtools pluto[2726]: packet from 70.67.129.119:4500:
ignoring unknown Vendor ID payload [16f6ca16e4a4066d83821a0f0aeaa862]

Mar 27 11:43:24 claimtools pluto[2726]: packet from 70.67.129.119:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already us

ing method 109

Mar 27 11:43:24 claimtools pluto[2726]: packet from 70.67.129.119:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already usin

g method 109

Mar 27 11:43:24 claimtools pluto[2726]: packet from 70.67.129.119:4500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already usin

g method 109

Mar 27 11:43:24 claimtools pluto[2726]: packet from xxx.xxx.xxx.xxx:4500:
ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]

Mar 27 11:43:24 claimtools pluto[2726]: packet from xxx.xxx.xxx.xxx:4500:
ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]

Mar 27 11:43:24 claimtools pluto[2726]: packet from xxx.xxx.xxx.xxx:4500:
ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]

Mar 27 11:43:24 claimtools pluto[2726]: packet from xxx.xxx.xxx.xxx:4500:
ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]

Mar 27 11:43:24 claimtools pluto[2726]: packet from xxx.xxx.xxx.xxx:4500:
ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]

Mar 27 11:43:24 claimtools pluto[2726]: packet from xxx.xxx.xxx.xxx:4500:
received Vendor ID payload [RFC 3947] method set to=109 

Mar 27 11:43:04 claimtools pluto[2726]: "home" #42: received and ignored
informational message

Mar 27 11:43:04 claimtools pluto[2726]: "home" #42: received Delete
SA(0x4db44103) payload: deleting IPSEC State #43

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0x4db44113 <0x12243d77 xfrm=3DES_0-HMAC_SHA1
NATOA

=none NATD=none DPD=none}

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44: keeping
refhim=4294901761 during rekey

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44:   them:
xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>[+S=C]===192.168.80.0/24

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44:     us:
1.80.0.19/32===192.168.27.16[+S=C]

Mar 27 11:42:55 claimtools pluto[2726]: "home" #44: responding to Quick Mode
proposal {msgid:e8e6b6dd}

Mar 27 11:42:55 claimtools pluto[2726]: "home" #42: the peer proposed:
1.80.0.19/32:0/0 -> 192.168.80.0/24:0/0

 

 

I am willing to provide any additional information to help solve this
problem

Thank you for your time

 

Jon James

ClaimTools Solutions

(250)713-8185

1-888-989-8388

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090327/1ef02c9a/attachment-0001.html

More information about the Users mailing list