[Openswan Users] RSA + XAUTH + Cisco reconnection failures

Andrew Campbell Andrew.Campbell at madisontech.com.au
Thu Mar 4 21:27:57 EST 2010


Hello OpenSwan group,

We are currently testing OpenSwan to Cisco using RSA + XAUTH and having
reconnection problems.

All connection are terminated using a Dynamic Virtual Interface.

OpenSwan version
----------------
Linux OpenSwan U2.4.12/K2.6.29-xs5.5.0.15 (netkey)


OpenSwan configuration
----------------------

conn vpn
    type=tunnel
    auto=add
    rekey=no
    aggrmode=no
    authby=rsasig
    left=10.77.30.20 
    leftcert=client.domain.com
    leftrsasigkey=%cert
    leftsendcert=always
    leftxauthclient=yes
    right=<CISCO IP ADDRESS>
    rightid="@server.domain.com"
    rightsubnet=10.1.1.0/24
    rightxauthserver=yes
    rightca=%same

OpenSwan  connection test
-------------------------

I  toggle between the tunnel up and down with about 5 seconds
in-between.

openswan:/home/andrewc# ipsec auto --up vpn
Name enter:   test3
Enter secret:  *******

104 "vpn" #3: STATE_MAIN_I1: initiate
003 "vpn" #3: received Vendor ID payload [RFC 3947] method set to=109
106 "vpn" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn" #3: received Vendor ID payload [Cisco-Unity]
003 "vpn" #3: received Vendor ID payload [Dead Peer Detection]
003 "vpn" #3: ignoring unknown Vendor ID payload
[ace5a1eb2b3b52bd7b4c626ac7e48997]
003 "vpn" #3: received Vendor ID payload [XAUTH]
003 "vpn" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed
108 "vpn" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpn" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
041 "vpn" #3: vpn prompt for Username:
040 "vpn" #3: vpn prompt for Password:
004 "vpn" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "vpn" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "vpn" #4: STATE_QUICK_I1: initiate
003 "vpn" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "vpn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x2e929a7a <0xc86ffbf5 xfrm=3DES_0-HMAC_SHA1 NATD=<CISCOIP
ADDRSS>:4500 DPD=none} 

openswan:/home/andrewc# ipsec auto --down vpn
openswan:/home/andrewc# ipsec auto --up vpn Enter secret:  *******

104 "vpn" #5: STATE_MAIN_I1: initiate
003 "vpn" #5: received Vendor ID payload [RFC 3947] method set to=109
106 "vpn" #5: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn" #5: received Vendor ID payload [Cisco-Unity]
003 "vpn" #5: received Vendor ID payload [Dead Peer Detection]
003 "vpn" #5: ignoring unknown Vendor ID payload
[ace5a1ebe079cc774ac565ef8e47eb6e]
003 "vpn" #5: received Vendor ID payload [XAUTH]
003 "vpn" #5: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed
108 "vpn" #5: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpn" #5: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
003 "vpn" #5: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x2e929a7a)
not found (maybe expired)
003 "vpn" #5: received and ignored informational message
040 "vpn" #5: vpn prompt for Password:
004 "vpn" #5: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
003 "vpn" #5: received Delete SA payload: deleting ISAKMP State #5

openswan:/home/andrewc# ipsec auto --down vpn
openswan:/home/andrewc# ipsec auto --up vpn
Name enter:   test3
Enter secret:  *******

104 "vpn" #6: STATE_MAIN_I1: initiate
003 "vpn" #6: received Vendor ID payload [RFC 3947] method set to=109
106 "vpn" #6: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn" #6: received Vendor ID payload [Cisco-Unity]
003 "vpn" #6: received Vendor ID payload [Dead Peer Detection]
003 "vpn" #6: ignoring unknown Vendor ID payload
[ace5a1eb8ad3fa3aea7576441da53e0b]
003 "vpn" #6: received Vendor ID payload [XAUTH]
003 "vpn" #6: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am
NATed
108 "vpn" #6: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpn" #6: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
041 "vpn" #6: vpn prompt for Username:
040 "vpn" #6: vpn prompt for Password:
004 "vpn" #6: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "vpn" #6: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "vpn" #7: STATE_QUICK_I1: initiate
003 "vpn" #7: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
004 "vpn" #7: STATE_QUICK_I2: sent QI2, IPsec SA established
{ESP=>0x281c7ecf <0x15363c00 xfrm=3DES_0-HMAC_SHA1 NATD=<CISCOIP
ADDRSS>:4500 DPD=none}

Cisco log from the failed second connection
-------------------------------------------

Mar  5 01:49:40.239: IPSEC(rte_mgr): VPN Route Event rekey so decrement
refcount for peer <OPENSWAN IP ADDRSS>
Mar  5 01:49:40.239: IPSEC(rte_mgr): VPN Route Event Deleting dynamic
maps for peer <OPENSWAN IP ADDRSS>
Mar  5 01:49:40.287: ISAKMP:(7028): sending packet to <OPENSWAN IP
ADDRSS> my_port 4500 peer_port 64775 (R) MM_KEY_EXCH
Mar  5 01:49:40.291: ISAKMP:(7028):Sending an IKE IPv4 Packet.
Mar  5 01:49:40.291: ISAKMP:(7028):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_COMPLETE
Mar  5 01:49:40.291: ISAKMP:(7028):Old State = IKE_R_MM5  New State =
IKE_P1_COMPLETE

Mar  5 01:49:40.295: ISAKMP: set new node -403651869 to CONF_XAUTH
Mar  5 01:49:40.295: ISAKMP:(7028): sending packet to <OPENSWAN IP
ADDRSS> my_port 4500 peer_port 64775 (R) MM_KEY_EXCH
Mar  5 01:49:40.295: ISAKMP:(7028):Sending an IKE IPv4 Packet.
Mar  5 01:49:40.295: ISAKMP:(7028):purging node -403651869
Mar  5 01:49:40.295: ISAKMP:(7028):Input = IKE_MESG_FROM_IPSEC,
IKE_PHASE2_DEL
Mar  5 01:49:40.295: ISAKMP:(7028):Old State = IKE_P1_COMPLETE  New
State = IKE_P1_COMPLETE

Mar  5 01:49:40.295: ISAKMP:(7028):peer does not do paranoid keepalives.

Mar  5 01:49:40.295: ISAKMP:(7028):deleting SA reason "P1 delete notify
(in)" state (R) MM_KEY_EXCH (peer <OPENSWAN IP ADDRSS>)
Mar  5 01:49:40.295: ISAKMP:(0):Can't decrement IKE Call Admission
Control stat incoming_negotiating since it's already 0.
Mar  5 01:49:40.295: ISAKMP:(7027):peer does not do paranoid keepalives.

Mar  5 01:49:40.299: ISAKMP:(7028):Need XAUTH
Mar  5 01:49:40.299: ISAKMP: set new node 335708813 to CONF_XAUTH
Mar  5 01:49:40.299: ISAKMP/xauth: request attribute
XAUTH_USER_PASSWORD_V2
Mar  5 01:49:40.299: ISAKMP/xauth: request attribute XAUTH_REQ_NUMBER
Mar  5 01:49:40.299: ISAKMP:(7028): initiating peer config to <OPENSWAN
IP ADDRSS>. ID = 335708813
Mar  5 01:49:40.299: ISAKMP:(7028): sending packet to <OPENSWAN IP
ADDRSS> my_port 4500 peer_port 64775 (R) CONF_XAUTH
Mar  5 01:49:40.299: ISAKMP:(7028):Sending an IKE IPv4 Packet.
Mar  5 01:49:40.299: ISAKMP:(7028):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_COMPLETE
Mar  5 01:49:40.299: ISAKMP:(7028):Old State = IKE_P1_COMPLETE  New
State = IKE_XAUTH_REQ_SENT

Mar  5 01:49:40.303: ISAKMP: set new node 1909653249 to CONF_XAUTH
Mar  5 01:49:40.303: ISAKMP:(7028): sending packet to <OPENSWAN IP
ADDRSS> my_port 4500 peer_port 64775 (R) CONF_XAUTH
Mar  5 01:49:40.303: ISAKMP:(7028):Sending an IKE IPv4 Packet.
Mar  5 01:49:40.303: ISAKMP:(7028):purging node 1909653249
Mar  5 01:49:40.303: ISAKMP:(7028):Input = IKE_MESG_INTERNAL,
IKE_PHASE1_DEL
Mar  5 01:49:40.303: ISAKMP:(7028):Old State = IKE_XAUTH_REQ_SENT  New
State = IKE_DEST_SA

Mar  5 01:49:40.303: ISAKMP:(7028):deleting SA reason "P1 delete notify
(in)" state (R) CONF_XAUTH    (peer <OPENSWAN IP ADDRSS>)
Mar  5 01:49:40.303: ISAKMP: Unlocking peer struct 0x468F79D0 for
isadb_mark_sa_deleted(), count 1
Mar  5 01:49:40.303: ISAKMP:(7028):deleting node 335708813 error FALSE
reason "IKE deleted"
Mar  5 01:49:40.303: ISAKMP:(7028):Input = IKE_MESG_FROM_PEER,
IKE_MM_EXCH
Mar  5 01:49:40.303: ISAKMP:(7028):Old State = IKE_DEST_SA  New State =
IKE_DEST_SA

Mar  5 01:49:42.307: ISAKMP (7028): received packet from <OPENSWAN IP
ADDRSS> dport 4500 sport 64775 Global (R) MM_NO_STATE
Mar  5 01:49:42.307: ISAKMP (7028): received packet from <OPENSWAN IP
ADDRSS> dport 4500 sport 64775 Global (R) MM_NO_STATE


Any help would be aprecaited.

Regards,

Andrew Campbell

______________________________________________________________________
The information contained in this e-mail (including any attachments)
is confidential. It is only intended for the recipient/s named above.
If you are not the intended or one of the intended recipient/s any
unauthorised use is prohibited. If you have received this e-mail in
error, please notify the sender and destroy all copies of this e-mail.
Confidentiality and legal privilege are not waived or lost as a result
of mistaken delivery.  

Opinions expressed in this e-mail are those of the sender and unless 
expressly stated are not necessarily the opinions of Madison 
Technologies Pty Ltd.

This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


More information about the Users mailing list