[Openswan Users] Subnets Connect, then they drop (but the Tunnel Remains)

JT Edwards tstrike34 at gmail.com
Thu Sep 24 17:14:31 EDT 2009


Better question,

It appears that the SA life is dying.... could that be my problem?

Clients in both subnets can ping the remote VPN gateway... however they cannot ping each other across the tunnel.

JT

JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com


From: JT Edwards 
Sent: Thursday, September 24, 2009 3:52 PM
To: users at openswan.org 
Subject: Subnets Connect, then they drop (but the Tunnel Remains)


Paul and et all:

I have achieved IPSec SA established tunnel mode, yet it appears that subnet to subnet connectivity is dropped for some reason. Here are the securelog and the ipsec auto --status logs.... The tunnel connection remains, but it like it is fractured for some reason:

Sep 24 14:39:33 whiskers pluto[7855]: added connection description "ait-2-torden-xen"
Sep 24 14:39:33 whiskers pluto[7855]: listening for IKE messages
Sep 24 14:39:33 whiskers pluto[7855]: NAT-Traversal: Trying new style NAT-T
Sep 24 14:39:34 whiskers pluto[7855]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Sep 24 14:39:34 whiskers pluto[7855]: NAT-Traversal: Trying old style NAT-T
Sep 24 14:39:34 whiskers pluto[7855]: adding interface vnet0/vnet0 192.168.137.1:500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface vnet0/vnet0 192.168.137.1:4500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface eth0/eth0 22.123.34.56:500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface eth0/eth0 22.123.34.56:4500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface as0t0/as0t0 10.8.0.1:500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface as0t0/as0t0 10.8.0.1:4500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface virbr0/virbr0 192.168.122.1:500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface virbr0/virbr0 192.168.122.1:4500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface tun0/tun0 172.16.0.1:500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface tun0/tun0 172.16.0.1:4500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface lo/lo 127.0.0.1:500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface lo/lo 127.0.0.1:4500
Sep 24 14:39:34 whiskers pluto[7855]: adding interface lo/lo ::1:500
Sep 24 14:39:34 whiskers pluto[7855]: loading secrets from "/etc/ipsec.secrets"
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: initiating Main Mode
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring unknown Vendor ID payload [3b9031dce4fcf88b489a923963dd0c49]
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring Vendor ID payload [KAME/racoon]
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring Vendor ID payload [KAME/racoon]
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: Main mode peer ID is ID_IPV4_ADDR: '12.234.22.224'
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1 msgid:7bf7d234 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1024}
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Sep 24 14:39:34 whiskers pluto[7855]: "ait-2-torden-xen" #1: received and ignored informational message
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x0f5a7819 <0x4aa14507 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #1: the peer proposed: 192.168.122.0/24:0/0 -> 192.168.136.0/24:0/0
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: responding to Quick Mode proposal {msgid:767b2eeb}
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3:     us: 192.168.122.0/24===22.123.34.56<22.123.34.56>[+S=C]
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3:   them: 22.123.34.1---12.234.22.224<12.234.22.224>[+S=C]===192.168.136.0/24
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: keeping refhim=4294901761 during rekey
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Sep 24 14:39:35 whiskers pluto[7855]: "ait-2-torden-xen" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x09076072 <0x874d4c6a xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Sep 24 14:40:10 whiskers pluto[7855]: "ait-2-torden-xen" #1: received Delete SA(0x0f5a7819) payload: deleting IPSEC State #2
Sep 24 14:40:10 whiskers pluto[7855]: "ait-2-torden-xen" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x4aa14507) not found (maybe expired)
Sep 24 14:40:10 whiskers pluto[7855]: "ait-2-torden-xen" #1: received and ignored informational message


I just do not understand what is happening... Is it something deeper?

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface tun0/tun0 172.16.0.1
000 interface tun0/tun0 172.16.0.1
000 interface virbr0/virbr0 192.168.122.1
000 interface virbr0/virbr0 192.168.122.1
000 interface as0t0/as0t0 10.8.0.1
000 interface as0t0/as0t0 10.8.0.1
000 interface eth0/eth0 22.123.34.56
000 interface eth0/eth0 22.123.34.56
000 interface vnet0/vnet0 192.168.137.1
000 interface vnet0/vnet0 192.168.137.1
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 0 subnets: 
000 - disallowed 0 subnets: 
000 WARNING: Either virtual_private= was not specified, or there was a syntax 
000          error in that line. 'left/rightsubnet=%priv' will not work!
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "ait-2-torden-xen": 192.168.122.0/24===22.123.34.56<22.123.34.56>[+S=C]...22.123.34.1---12.234.22.224<12.234.22.224>[+S=C]===192.168.136.0/24; erouted; eroute owner: #3
000 "ait-2-torden-xen":     myip=unset; hisip=unset;
000 "ait-2-torden-xen":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ait-2-torden-xen":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+lKOD+rKOD; prio: 24,24; interface: eth0; 
000 "ait-2-torden-xen":   newest ISAKMP SA: #1; newest IPsec SA: #3; 
000 "ait-2-torden-xen":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000  
000 #3: "ait-2-torden-xen":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 28384s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "ait-2-torden-xen" esp.9076072 at 12.234.22.224 esp.874d4c6a at 22.123.34.56 tun.0 at 12.234.22.224 tun.0 at 22.123.34.56 ref=0 refhim=4294901761
000 #1: "ait-2-torden-xen":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2825s; newest ISAKMP; nodpd; idle; import:admin initiate
000  


 

JT Edwards
Senior Solutions Architect (Automation and Service Management)
IBM Tivoli Certified
Direct: 281-226-0284
Direct: 512-772-3266
Follow Me: 1866-866-4391 ext 1
AIM tstrike34
GoogleTalk tstrike34 at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090924/7e25574e/attachment-0001.html 


More information about the Users mailing list