[Openswan Users] vpn goes dead after specific time

Craig Constantine craig at blkbx.com
Fri Feb 19 14:18:12 EST 2010 

This is a network-to-network tunnel. The other end is a Checkpoint 
firewall (to which I have no administrative access.) I have some other 
issues that I don't think are related, but I mention them just in case 
someone sees a relationship.

This tunnel doesn't come when I boot the linux box. It's configured with 
'start=auto' but I still have to do 'ipsec auto --up foo_label'. Also I 
had to add a static next hop route manually (via /etc/rc.local at boot), 
'ip route add 172.16.36.0/24 via <CP's public IP> dev eth1'. My systems 
eth0 is a routable /27 (a DMZ LAN). I also have DPD enabled (I think!) 
with the dpddelay at 30seconds; but I don't see any R_U_THERE packets 
being logged.

Back to the "dead tunnel". The tunnel comes up (as below). Then after 
the tunnel #4 log entries, it won't pass traffic. In this particular 
case, I had an ssh connection open across the tunnel just after I 
brought the tunnel up. I worked for maybe 15 minutes, then cambe back 
and found my session not responsive.

Thoughts?

conn foo_tunnel
         type=tunnel
         authby=secret
         left=209.255.196.98
         leftsubnet=209.92.146.96/27
         leftnexthop=209.255.196.97
         right=12.34.56.78
         rightsubnet=172.16.36.0/24
         keyexchange=ike
         ike=aes256-sha1-modp1024
         phase2alg=aes256-sha1
         pfs=no
         auto=start
         dpddelay=30

Feb 19 12:56:30 binkley ipsec__plutorun: Starting Pluto subsystem...
Feb 19 12:56:30 binkley pluto[6114]: Starting Pluto (Openswan Version 
2.6.22; Vendor ID OElj@]rTMBuM) pid:6114
Feb 19 12:56:30 binkley pluto[6114]: Setting NAT-Traversal port-4500 
floating to on
Feb 19 12:56:30 binkley pluto[6114]:    port floating activation 
criteria nat_t=1/port_float=1
Feb 19 12:56:30 binkley pluto[6114]:    including NAT-Traversal patch 
(Version 0.6c)
Feb 19 12:56:30 binkley pluto[6114]: using /dev/urandom as source of 
random entropy
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
OAKLEY_TWOFISH_CBC: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
OAKLEY_SERPENT_CBC: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: starting up 1 cryptographic helpers
Feb 19 12:56:30 binkley pluto[6115]: using /dev/urandom as source of 
random entropy
Feb 19 12:56:30 binkley pluto[6114]: started helper pid=6115 (fd:7)
Feb 19 12:56:30 binkley pluto[6114]: Using Linux 2.6 IPsec interface 
code on 2.6.31-19-server (experimental code)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): WARNING: 
enc alg=0 not found in constants.c:oakley_enc_names
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
<NULL>: Ok (ret=0)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): WARNING: 
enc alg=0 not found in constants.c:oakley_enc_names
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_add(): ERROR: Algorithm 
already exists
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
<NULL>: FAILED (ret=-17)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): WARNING: 
enc alg=0 not found in constants.c:oakley_enc_names
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_add(): ERROR: Algorithm 
already exists
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
<NULL>: FAILED (ret=-17)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): WARNING: 
enc alg=0 not found in constants.c:oakley_enc_names
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_add(): ERROR: Algorithm 
already exists
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
<NULL>: FAILED (ret=-17)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): WARNING: 
enc alg=0 not found in constants.c:oakley_enc_names
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_add(): ERROR: Algorithm 
already exists
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
<NULL>: FAILED (ret=-17)
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): WARNING: 
enc alg=0 not found in constants.c:oakley_enc_names
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_add(): ERROR: Algorithm 
already exists
Feb 19 12:56:30 binkley pluto[6114]: ike_alg_register_enc(): Activating 
<NULL>: FAILED (ret=-17)
Feb 19 12:56:30 binkley pluto[6114]: Changed path to directory 
'/etc/ipsec.d/cacerts'
Feb 19 12:56:30 binkley pluto[6114]: Changed path to directory 
'/etc/ipsec.d/aacerts'
Feb 19 12:56:30 binkley pluto[6114]: Changed path to directory 
'/etc/ipsec.d/ocspcerts'
Feb 19 12:56:30 binkley pluto[6114]: Changing to directory 
'/etc/ipsec.d/crls'
Feb 19 12:56:30 binkley pluto[6114]:   Warning: empty directory
Feb 19 12:56:30 binkley pluto[6114]: added connection description 
"foo_tunnel"
Feb 19 12:56:30 binkley pluto[6114]: listening for IKE messages
Feb 19 12:56:30 binkley pluto[6114]: NAT-Traversal: Trying new style NAT-T
Feb 19 12:56:30 binkley pluto[6114]: NAT-Traversal: ESPINUDP(1) setup 
failed for new style NAT-T family IPv4 (errno=19)
Feb 19 12:56:30 binkley pluto[6114]: NAT-Traversal: Trying old style NAT-T
Feb 19 12:56:30 binkley pluto[6114]: adding interface eth1/eth1 
209.255.196.98:500
Feb 19 12:56:30 binkley pluto[6114]: adding interface eth1/eth1 
209.255.196.98:4500
Feb 19 12:56:30 binkley pluto[6114]: adding interface eth0/eth0 
209.92.146.116:500
Feb 19 12:56:30 binkley pluto[6114]: adding interface eth0/eth0 
209.92.146.116:4500
Feb 19 12:56:30 binkley pluto[6114]: adding interface lo/lo 127.0.0.1:500
Feb 19 12:56:30 binkley pluto[6114]: adding interface lo/lo 127.0.0.1:4500
Feb 19 12:56:30 binkley pluto[6114]: adding interface lo/lo ::1:500
Feb 19 12:56:30 binkley pluto[6114]: loading secrets from 
"/etc/ipsec.secrets"
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: initiating Main Mode
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: STATE_MAIN_I2: 
sent MI2, expecting MR2
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: STATE_MAIN_I3: 
sent MI3, expecting MR3
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: Main mode peer ID 
is ID_IPV4_ADDR: '205.160.42.65'
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #1: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 
prf=oakley_sha group=modp1024}
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #2: initiating Quick 
Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:7e394f44 
proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #2: ignoring 
informational payload, type IPSEC_RESPONDER_LIFETIME msgid=7e394f44
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #2: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 19 12:56:30 binkley pluto[6114]: "foo_tunnel" #2: STATE_QUICK_I2: 
sent QI2, IPsec SA established tunnel mode {ESP=>0x8ca9cdf4 <0xcdc76d8c 
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Feb 19 13:02:35 binkley pluto[6114]: "foo_tunnel" #3: initiating Quick 
Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:bfddd6df 
proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Feb 19 13:02:35 binkley pluto[6114]: "foo_tunnel" #3: ignoring 
informational payload, type IPSEC_RESPONDER_LIFETIME msgid=bfddd6df
Feb 19 13:02:35 binkley pluto[6114]: "foo_tunnel" #3: transition from 
state STATE_QUICK_I1 to state STATE_QUICK_I2
Feb 19 13:02:35 binkley pluto[6114]: "foo_tunnel" #3: STATE_QUICK_I2: 
sent QI2, IPsec SA established tunnel mode {ESP=>0x2268ca8b <0x0b94e542 
xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: initiating Main 
Mode to replace #1
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: transition from 
state STATE_MAIN_I1 to state STATE_MAIN_I2
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: STATE_MAIN_I2: 
sent MI2, expecting MR2
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: transition from 
state STATE_MAIN_I2 to state STATE_MAIN_I3
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: STATE_MAIN_I3: 
sent MI3, expecting MR3
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: Main mode peer ID 
is ID_IPV4_ADDR: '205.160.42.65'
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: transition from 
state STATE_MAIN_I3 to state STATE_MAIN_I4
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: STATE_MAIN_I4: 
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 
prf=oakley_sha group=modp1024}
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: discarding 
duplicate packet; already STATE_MAIN_I4
Feb 19 13:40:37 binkley pluto[6114]: "foo_tunnel" #4: discarding 
duplicate packet; already STATE_MAIN_I4

-- 
Craig Constantine - Black Box - craig at blkbx.com - 610.966.2699

More information about the Users mailing list