[Openswan Users] Tunnles die and don't come back up.

Agent Smith news8080 at yahoo.com
Tue May 18 12:35:46 EDT 2010


I consider myself well versed with openswan because I have been using it for a while now. I am fighting with an odd issue though and hoping that this group can help.

I have a VPN with FC8/2.6.23/klips/ipsec 2.4.15 and a Juniper SSG5 VPN box and here is the config for the osw box.

conn    xxxx
        type=tunnel
        authby=secret
        rekey=yes        
        rekeyfuzz=0%
        ikelifetime=1h        
        keylife=8h
        left=x.y.z.x
        leftsubnet=0.0.0.0/0
        right=a.b.c.d
        rightsubnet=192.168.a.0/24
        auto=start
        keyingtries=%forever

Every once in a while, we'll get calls from the site 192.168.a.0/24 that they can't use the VPN and I check and the ipsec eroute will show up tunnel. ipsec barf will show that the SA is active but no traffic is seen. in the /var/log/secure I would see the following exchanges and it will just sit in that state for 10 min. or so before retrying and eventually negotiating a successful tunnel again. but why does it go down in the first place like this??? 

I have played with DPD, keylife all what I can think of and nothing. I know this isn't an issue just with this one site, we have 17 other sites connected like this and they all do this every now and again. all using different vendor hardware (some linksys, some openswan, some junipers, some ciscos) 

May 18 10:48:35 vpn-1 pluto[28392]: "xxxx" #11596: received Delete SA(0x9785a2ff) payload: deleting IPSEC State #11565
May 18 10:48:35 vpn-1 pluto[28392]: "xxxx" #11596: received and ignored informational message
May 18 10:54:26 vpn-1 pluto[28392]: "xxxx" #11714: initiating Main Mode to replace #11596

I saved the ipsec barf of this tunnel when it was siting in that 'frozen' state if someone needs it. 

I suppose I can upgrade but I'd rather know what the root cause problem is here. 

anyone? 


      


More information about the Users mailing list