[Openswan Users] IPsec Connection seems terminated

weiruyao weiruyao at 163.com
Mon Sep 14 06:35:02 EDT 2009 

I established a IPsec Connection between Linux box(of course, use openswan) and Cisco Router.The topology is easiest:
Linux(200.1.1.2)=======(200.1.1.1)Cisco
The IPsec SA is established.And I ping Cisco Router from Linux,I see ESP packets going up and down .But when I check it again after about 5 hours,I only see ESP packets go to Cisco Router ,but no response.I check the Cisco side ,logs shows like this:
rec'd IPSEC packet has invalid SPI for destaddr=200.1.1.1 ,prot=50,SPI=0xF4500A32, srcaddr=200.1.1.2
200.1.1.1 is the Cisco side ,200.1.1.2 is the Linux side.
At this time ,If I ping 200.1.1.2 from Cisco (200.1.1.1) , I see the IPsec Phase 2 is renegotiated:
2009-09-14 13:18:32 System0.Warning 192.168.1.3 Mar 14 05:20:44 pluto[1180]: "tunnelipsec" #38: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #32 {using isakmp#36 msgid:2581170f proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}<000>
2009-09-14 13:18:32 System0.Warning 192.168.1.3 Mar 14 05:20:44 pluto[1180]: "tunnelipsec" #36: received Delete SA payload: replace IPSEC State #32 in 10 seconds<000>
2009-09-14 13:18:32 System0.Warning 192.168.1.3 Mar 14 05:20:44 pluto[1180]: "tunnelipsec" #36: received and ignored informational message<000>
2009-09-14 13:18:37 System0.Warning 192.168.1.3 Mar 14 05:20:49 pluto[1180]: "tunnelipsec" #36: received Delete SA payload: already replacing IPSEC State #32 in 5 seconds<000>
2009-09-14 13:18:37 System0.Warning 192.168.1.3 Mar 14 05:20:49 pluto[1180]: "tunnelipsec" #36: received and ignored informational message<000>
2009-09-14 13:18:39 System0.Warning 192.168.1.3 Mar 14 05:20:51 pluto[1180]: "tunnelipsec" #37: discarding duplicate packet; already STATE_QUICK_R0<000>
2009-09-14 13:18:42 System0.Warning 192.168.1.3 Mar 14 05:20:54 pluto[1180]: "tunnelipsec" #36: received Delete SA payload: already replacing IPSEC State #32 in 0 seconds<000>
2009-09-14 13:18:42 System0.Warning 192.168.1.3 Mar 14 05:20:54 pluto[1180]: "tunnelipsec" #36: received and ignored informational message<000>
2009-09-14 13:18:42 System0.Warning 192.168.1.3 Mar 14 05:20:54 pluto[1180]: "tunnelipsec" #39: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #32 {using isakmp#36 msgid:82a7553f proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}<000>
2009-09-14 13:18:42 System0.Warning 192.168.1.3 Mar 14 05:20:54 pluto[1180]: "tunnelipsec" #39: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=82a7553f<000>
2009-09-14 13:18:42 System0.Warning 192.168.1.3 Mar 14 05:20:54 pluto[1180]: "tunnelipsec" #39: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<000>
2009-09-14 13:18:42 System0.Warning 192.168.1.3 Mar 14 05:20:54 pluto[1180]: "tunnelipsec" #39: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6a6218a8 <0x5479d8ff xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none DPD=none}<000>
2009-09-14 13:18:43 System0.Warning 192.168.1.3 Mar 14 05:20:55 pluto[1180]: "tunnelipsec" #38: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=2581170f<000>
2009-09-14 13:18:43 System0.Warning 192.168.1.3 Mar 14 05:20:55 pluto[1180]: "tunnelipsec" #38: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<000>
2009-09-14 13:18:43 System0.Warning 192.168.1.3 Mar 14 05:20:55 pluto[1180]: "tunnelipsec" #38: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x8b9b5c1c <0x317936d6 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none DPD=none}<000>
2009-09-14 13:18:49 System0.Warning 192.168.1.3 Mar 14 05:21:01 pluto[1180]: "tunnelipsec" #37: discarding duplicate packet; already STATE_QUICK_R0<000>
And after renegotiated, Things return to normal:ESP packets can be seen both directions.
I know this may not be the Openswan problem, but can any one give me a hint on how to renegotiate the connection automatically.DPD can be used?Or REKEY be used?
My current config file is easy:
version 2.0
config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
conn tunnelipsec
        type=tunnel
        authby=secret
        left=200.1.1.2
        right=200.1.1.1
        keyexchange=ike
        auto=start
Thank you in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090914/e14ee14a/attachment.html

More information about the Users mailing list