[Openswan Users] pluto keeps starting keying attempt; tunnels work fine
Roel van Meer
rolek at bokxing.nl
Wed Nov 3 03:59:42 EDT 2010
Hi list,
I have an openswan setup with a number of tunnels to various models
of draytek routers. Configuration is shown below. The tunnels all work and
are stable, as far as I can see. Only in the logs, I keep seeing these
messages over and over again, for each tunnel:
---/---
Nov 3 08:02:17 polariseer pluto[19762]: "peperstraat" #7308: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Nov 3 08:02:17 polariseer pluto[19762]: "peperstraat" #7308: starting keying attempt 46 of an unlimited number
Nov 3 08:02:17 polariseer pluto[19762]: "peperstraat" #7493: initiating Main Mode to replace #7308
Nov 3 08:02:18 polariseer pluto[19762]: "peperstraat" #7309: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Nov 3 08:02:18 polariseer pluto[19762]: "peperstraat" #7309: starting keying attempt 14 of an unlimited number
Nov 3 08:02:18 polariseer pluto[19762]: "peperstraat" #7495: initiating Main Mode to replace #7309
Nov 3 08:04:08 polariseer pluto[19762]: "peperstraat" #7330: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Nov 3 08:04:08 polariseer pluto[19762]: "peperstraat" #7330: starting keying attempt 5 of an unlimited number
Nov 3 08:04:08 polariseer pluto[19762]: "peperstraat" #7516: initiating Main Mode to replace #7330
Nov 3 08:04:14 polariseer pluto[19762]: "peperstraat" #7341: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Nov 3 08:04:14 polariseer pluto[19762]: "peperstraat" #7341: starting keying attempt 69 of an unlimited number
Nov 3 08:04:14 polariseer pluto[19762]: "peperstraat" #7519: initiating Main Mode to replace #7341
Nov 3 08:04:14 polariseer pluto[19762]: "peperstraat" #7333: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Nov 3 08:04:14 polariseer pluto[19762]: "peperstraat" #7333: starting keying attempt 37 of an unlimited number
Nov 3 08:04:14 polariseer pluto[19762]: "peperstraat" #7527: initiating Main Mode to replace #7333
---/---
Could anyone shed some light on why this would be happening?
Since I got a fair number of tunnels, the logs are filling up quite fast this way.
(At first I thought it was a keylife mismatch, but on the drayteks the
key lifetimes are set to 8 hours for phase 1, and 1 hour for phase 2, which,
if I read the manpage correctly, are the defaults of salifetime and
ikelifetime, respectively.)
Thanks,
roel
Setup:
Slackware 13.1, kernel 2.6.32.23
Openswan version: happens with all tested versions: 2.6.29, 2.6.31,
latest git
---/ ipsec.conf /---
version 2.0
config setup
interfaces="ipsec0=eth1"
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
oe=off
protostack=klips
conn peperstraat
right=188.204.xxx.yyy
rightsubnet=10.10.8.1/24
also=general
conn general
type=tunnel
left=87.253.148.33
leftsubnet=10.0.0.1/24
authby=secret
auto=route
pfs=yes
ike=3des
dpddelay=30
dpdtimeout=150
dpdaction=restart
---/---
More information about the Users
mailing list