[Openswan Users] initiate on demand

Bob Miller bob at computerisms.ca
Thu Aug 12 21:25:46 EDT 2010


Hello gurus;

First, I want to express my appreciation to those of you who write the
openswan software and help support it through this list and other
documentation.  Over the last days, it has been more than apparent to me
all the good that you do for me and for others.  I am inspired by your
knowledge and your willingness to share it.  

Thank you.

I am uncertain what I did to make this happen.  Prior to my current
stint with this box, I was using openswan 2.4.12 from debian repos on
the server, and everything worked with XP without flaw for years.  I now
want to add a macbook and some vista laptops to the mix now and that
spurred all the upgrading.  As of now, I can reproduce this using XP and
Vista, and I get almost the same thing with the Mac.

In short, disconnecting an openswan tunnel seems to be locking something
up, I am not quite certain what, yet.  I can however reproduce reliably.
Observe:

Setup:
openswan 2.6.28 using netkey, compiled from source on a stock debian
lenny box, with l2tpns/freeradius handling things after the tunnel is
up.  XP client runs on a virtual machine (bridged adaptor so that it
gets its own IP address) on my ubuntu workstation, which is behind an
iptables firewall doing NAT.  

Procedure:
On the server, start ipsec, l2tpns, and freeradius from fresh:
/etc/init.d/l2tpns restart
/etc/init.d/freeradius restart
ipsec setup reload

When in this fresh state, l2tpns will send a heartbeat twice per second,
which I can log.  So long as that hearbeat is going, things work as
expected.

next, connect using XP, no 3rd party client and no registry hack.
Connection is established immediately, I can immediately ping a host on
the remote LAN.  

All the logs at this point say everything is good and working.  IPSec SA
is established, and the l2tpns heartbeat carries on like clockwork.   

Once the connection disconnects, ~ 15 seconds later the l2tpns heartbeat
stops and my auth.log shows the following every 30 seconds:

Aug 12 13:10:59 yq-firewall pluto[10248]: initiate on demand from
199.247.238.35:1701 to 76.9.58.207:1701 proto=17 state: fos_start
because: acquire

199.247.238.35 is the openswan box, 76.9.58.207 is the firewall I am
behind.  

If I check ipsec auto --status immediately after I connect, everything
seems normal.  After a few minutes, I see the following line:

000 199.247.238.35/32:0 -0-> 76.9.58.207/32:0 => %pass 0    no routed
template covers this pair

after the connection has been dropped, that line shows up if it wasn't
there before, or it does not go away if it was.

>From here, if I do:
ipsec setup reload
the fos_start message stops, the "no routed template" message goes away,
and my l2tpns hearbeat starts up again, and I can now make a connection
again, to start the whole procedure over again.

Conclusion:
At first I thought this was an l2tpns problem, so I spent the first day
trying to prove that to be the case.  In that investigation, though,
everything led me back to openswan.  Now that I can reliably produce the
issue, and reliably "fix" it by reloading ipsec, I am of the opinion
that openswan (or rather my implementation of it) is the source of the
problem and not l2tpns.  If there is error in my conclusion, I would
very much appreciate some correction.

With the Mac, I get my IPSec SA established fine, then there are
problems with authenticating against l2tpns, so it fails.  Immediately
after it fails, I get the fos_start message in my auth.log, which can
again be fixed by reloading ipsec.  It appears to be the same issue,
except in this particular case, I never actually get a fully successful
connection like I do with xp and vista.  However, openswan behaves the
same, as far as I can tell.

For grins and giggles, I installed 2.6.27 over top of 2.6.28 and
reloaded ispec again.  It does not appear to have changed anything, the
symptoms remain the same.  Not sure what I expected to happen anyway.

I have also spent considerable time looking for solutions via google,
the closest thing I found was a thread on the openswan dev mailing list
mentioning the "no routed template covers this pair" thing, but there
was no solution.

I would think that since I connect okay and can pass traffic across the
tunnel, that my ipsec.conf and iptables are in order.  Nonetheless I
have tried using trial-and-error in the ipsec.conf file to correct the
problem, but a few hours of that only provided me more problems.  Here
is my current config:

version 2.0

config setup
   interfaces="%defaultroute"
   plutodebug=none
   klipsdebug=none
   virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8,%v4:172.16.0.0/12,%
v4:!192.168.138.0/24
   nat_traversal=yes
   protostack=netkey
   oe=off

conn %default
   keyingtries=5
   leftcert=/etc/ipsec.d/certs/yq-firewall.yukonquest.com.pem
   leftid=@yq-firewall.yukonquest.com
   leftrsasigkey=%cert
   rightrsasigkey=%cert
   auto=add

conn l2tp-yq
   left=199.247.238.35
   leftnexthop=199.247.238.1
   leftprotoport=17/1701
   right=%any
   rightprotoport=17/%any
   rightsubnet=vhost:%no,%priv
   pfs=no

Might anyone be able to add some clues to my (hopefully not futile)
investigation?

Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions



More information about the Users mailing list