[Openswan Users] Consistently reinitiating ipsec vpn

Oguz Yilmaz oguzyilmazlist at gmail.com
Tue May 4 09:20:34 EDT 2010 

I have a site-to-site ipsec vpn connection to another city. However, I
see reinitiation of the connection in the log in about two minutes of
intervals. Two of Continuous ping requests are lost during this
reinitiation. This loss results in interruption in VoIP calls from
Site to Center. Corresponding device is a Checkpoint Edge firewall. I
have checked both lifetime are the same. I have tried with no dpd
parameter also. (peer also does not support dpd accroding to initial
logs.)

What do you think the problem is?

Best Regards,


ipsec.conf is:


version 2.0

config setup
        interfaces="ipsec0=eth1"
        klipsdebug=none
        plutodebug=none
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!172.19.32.0/24
        protostack=netkey


conn %default
        auto=add

conn Site
        authby=secret
        auth=esp
        esp=3des-sha1-96
        left=LEFTREALIP
        leftsubnet=172.16.1.0/22
        right=RIGHTREALIP
        rightsubnet=172.16.4.0/24
        leftnexthop=LEFTNEXTHOP
        disablearrivalcheck=no
        ikelifetime=1440s
        auto=start
        pfs=no
        keylife=3600s
        keyexchange=ike
        dpdaction=restart
        dpddelay=20
        dpdtimeout=50


# cat /etc/ipsec.secrets
LEFTREALIP RIGHTREALIP : PSK "1111111"


Openswan version is: openswan-2.4.13-1


The logs are:

May  4 16:04:50 2010 pluto[31339]: \"Site\" #12: cannot respond to
IPsec SA request because no connection is known for
LEFTREALIP...RIGHTREALIP
May  4 16:04:50 2010 pluto[31339]: \"Site\" #12: sending encrypted
notification INVALID_ID_INFORMATION to RIGHTREALIP:500
May  4 16:04:50 2010 pluto[31339]: packet from RIGHTREALIP:500:
ignoring unknown Vendor ID payload
[f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138800000000...]
May  4 16:04:50 2010 pluto[31339]: packet from RIGHTREALIP:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method
set to=106
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: responding to Main Mode
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: transition from state
STATE_MAIN_R0 to state STATE_MAIN_R1
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: STATE_MAIN_R1: sent
MR1, expecting MI2
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: NAT-Traversal: Result
using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: transition from state
STATE_MAIN_R1 to state STATE_MAIN_R2
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: STATE_MAIN_R2: sent
MR2, expecting MI3
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: Main mode peer ID is
ID_IPV4_ADDR: \'RIGHTREALIP\'
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: I did not send a
certificate because I do not have one.
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: transition from state
STATE_MAIN_R2 to state STATE_MAIN_R3
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: STATE_MAIN_R3: sent
MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: Dead Peer Detection
(RFC 3706): not enabled because peer did not advertise it
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: received Delete SA
payload: replace IPSEC State #13 in 10 seconds
May  4 16:04:50 2010 pluto[31339]: \"Site\" #14: received and ignored
informational message
May  4 16:04:50 2010 pluto[31339]: \"Site\" #15: responding to Quick
Mode {msgid:e7d06b7f}
May  4 16:04:50 2010 pluto[31339]: \"Site\" #15: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
May  4 16:04:50 2010 pluto[31339]: \"Site\" #15: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
May  4 16:04:50 2010 pluto[31339]: \"Site\" #15: Dead Peer Detection
(RFC 3706): not enabled because peer did not advertise it
May  4 16:04:50 2010 pluto[31339]: \"Site\" #15: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
May  4 16:04:50 2010 pluto[31339]: \"Site\" #15: STATE_QUICK_R2: IPsec
SA established {ESP=>0x56148f23 <0x31c323c3 xfrm=3DES_0-HMAC_SHA1
NATD=none DPD=none}
May  4 16:04:51 2010 pluto[31339]: \"Site\" #15: discarding duplicate
packet; already STATE_QUICK_R2
May  4 16:04:53 2010 pluto[31339]: \"Site\" #15: discarding duplicate
packet; already STATE_QUICK_R2

More information about the Users mailing list