[Openswan Users] pluto keeps starting keying attempt; tunnels work fine

Nick Howitt n1ck.h0w1tt at gmail.com
Wed Nov 3 04:13:38 EDT 2010


Are the Draytek's set to Dial-in, Dial-out or Both?

On 03/11/2010 07:59, Roel van Meer wrote:
> Hi list,
>
> I have an openswan setup with a number of tunnels to various models
> of draytek routers. Configuration is shown below. The tunnels all work and
> are stable, as far as I can see. Only in the logs, I keep seeing these
> messages over and over again, for each tunnel:
>
> ---/---
> Nov  3 08:02:17 polariseer pluto[19762]: "peperstraat" #7308: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> Nov  3 08:02:17 polariseer pluto[19762]: "peperstraat" #7308: starting keying attempt 46 of an unlimited number
> Nov  3 08:02:17 polariseer pluto[19762]: "peperstraat" #7493: initiating Main Mode to replace #7308
> Nov  3 08:02:18 polariseer pluto[19762]: "peperstraat" #7309: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> Nov  3 08:02:18 polariseer pluto[19762]: "peperstraat" #7309: starting keying attempt 14 of an unlimited number
> Nov  3 08:02:18 polariseer pluto[19762]: "peperstraat" #7495: initiating Main Mode to replace #7309
> Nov  3 08:04:08 polariseer pluto[19762]: "peperstraat" #7330: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> Nov  3 08:04:08 polariseer pluto[19762]: "peperstraat" #7330: starting keying attempt 5 of an unlimited number
> Nov  3 08:04:08 polariseer pluto[19762]: "peperstraat" #7516: initiating Main Mode to replace #7330
> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7341: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7341: starting keying attempt 69 of an unlimited number
> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7519: initiating Main Mode to replace #7341
> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7333: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7333: starting keying attempt 37 of an unlimited number
> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7527: initiating Main Mode to replace #7333
> ---/---
>
> Could anyone shed some light on why this would be happening?
> Since I got a fair number of tunnels, the logs are filling up quite fast this way.
>
> (At first I thought it was a keylife mismatch, but on the drayteks the
> key lifetimes are set to 8 hours for phase 1, and 1 hour for phase 2, which,
> if I read the manpage correctly, are the defaults of salifetime and
> ikelifetime, respectively.)
>
> Thanks,
>
> roel
>
>
> Setup:
> Slackware 13.1, kernel 2.6.32.23
> Openswan version: happens with all tested versions: 2.6.29, 2.6.31,
> latest git
>
> ---/ ipsec.conf /---
> version 2.0
> config setup
>    interfaces="ipsec0=eth1"
>    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
>    oe=off
>    protostack=klips
>
> conn peperstraat
>          right=188.204.xxx.yyy
>          rightsubnet=10.10.8.1/24
>          also=general
>
> conn general
>          type=tunnel
>          left=87.253.148.33
>          leftsubnet=10.0.0.1/24
>          authby=secret
>          auto=route
>          pfs=yes
>          ike=3des
>          dpddelay=30
>          dpdtimeout=150
>          dpdaction=restart
> ---/---
>
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list