[Openswan Users] Sending the "Initial Contact" message

Snitgen, John John.Snitgen at tnsi.com
Mon Mar 29 08:33:42 EDT 2010 

Hi Paul,

Thanks for the response.  I searched the web, the message list, and I own your book, which I also searched for any information on the "Initial Contact" message... I was pretty sure that Openswan didn't support it, but this is a major problem for us, so I had to ask.

First I'll answer your question, and then I'll try to provide more detail on the problem... The engineers at Cisco that are working on this issue with us have told me that the problem that I am seeing would not be a problem if the VPN client that I am using complied with the "Unity" standard... more specifically, if the client I am using sent the 'initial contact' message, this problem would not be a problem.

What we are seeing is that on occasion the Cisco aggregator will get 'hung' in the middle of negotiating a new session with one of the spokes (the spokes are all running Linux Openswan).  We think this happens when the connection being used to establish the session gets terminated unexpectedly during negotiation (typically the connection is PPP over wireless).  The spoke is then unable to negotiate a new session until the SA actually times out on the Cisco, or the hung session is manually cleared on the Cisco.  This is apparently tied to NAT-T on the Cisco, as the problem doesn't occur if the Cisco end is not NAT'd.  Cisco refuses to acknowledge that this problem is a bug in their code because the Linux/Openswan 'client' does not comply with the 'Unity' standard.

My guess is that updating the code will more than likely not fix this particular issue, unless the updated code sends the initial contact message but I will look into doing that anyway.

Thanks again,
John


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Sunday, March 28, 2010 11:46 PM
To: Snitgen, John
Cc: users at openswan.org
Subject: Re: [Openswan Users] Sending the "Initial Contact" message

On Tue, 23 Mar 2010, Snitgen, John wrote:

> I've encountered an intermittent problem when attempting to establish a VPN connection to a Cisco VPN aggregator
> from my Linux box.  It seems that the solution is to send the "Initial Contact" message when initiating the
> session.

And why would that fix the issue? Openswan does not use the "initial contact" message.

> Openswan 2.4.6

Upgrade that first, as that code is from Aug 3 2006 !!!

Paul

This e-mail message is for the sole use of the intended recipient(s)and may
contain confidential and privileged information of Transaction Network Services.
Any unauthorised review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

More information about the Users mailing list