[Openswan Users] pluto keeps starting keying attempt; tunnels work fine (SOLVED)

Roel van Meer rolek at bokxing.nl
Thu Nov 4 06:21:12 EDT 2010 

Nick Howitt writes:

> For the Draytek dial-out ones, try auto=add rather than auto=route 
> (which maybe should really be auto=start but I'm not to sure)

Well, dpdaction=hold didn't remedy it and neither did auto=add. The only 
tunnel for which I don't get these messages is where I have set the Draytek 
to Both.

I recently saw a short thread between you and Paul about this Draytek 
setting, where Paul suggested Dial-Out works better. I also saw you had 
disabled openswan initiating rekeying by specifying rekey=no. It turns out 
that that is the setting I need.

Thanks,

roel



    
> Nick
> 
> On 03/11/2010 08:34, Roel van Meer wrote:
>> Nick Howitt writes:
>>
>>> Are the Draytek's set to Dial-in, Dial-out or Both?
>> Good one. This one is set to Dial-out, with the "Always on" checkbox
>> checked.
>>
>> Hmm. Probably doesn't work nicely with dpdaction=restart in my config. A
>> random check of several routers showed that the ones set to Both don't
>> exhibit this problem, and the ones set to Dial-out do.
>>
>> I'm going to have a better look at this: thanks for the tip, Nick!
>>
>> Regards,
>>
>> roel
>>
>>
>>
>>> On 03/11/2010 07:59, Roel van Meer wrote:
>>>> Hi list,
>>>>
>>>> I have an openswan setup with a number of tunnels to various models
>>>> of draytek routers. Configuration is shown below. The tunnels all work and
>>>> are stable, as far as I can see. Only in the logs, I keep seeing these
>>>> messages over and over again, for each tunnel:
>>>>
>>>> ---/---
>>>> Nov  3 08:02:17 polariseer pluto[19762]: "peperstraat" #7308: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
>>>> Nov  3 08:02:17 polariseer pluto[19762]: "peperstraat" #7308: starting keying attempt 46 of an unlimited number
>>>> Nov  3 08:02:17 polariseer pluto[19762]: "peperstraat" #7493: initiating Main Mode to replace #7308
>>>> Nov  3 08:02:18 polariseer pluto[19762]: "peperstraat" #7309: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
>>>> Nov  3 08:02:18 polariseer pluto[19762]: "peperstraat" #7309: starting keying attempt 14 of an unlimited number
>>>> Nov  3 08:02:18 polariseer pluto[19762]: "peperstraat" #7495: initiating Main Mode to replace #7309
>>>> Nov  3 08:04:08 polariseer pluto[19762]: "peperstraat" #7330: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
>>>> Nov  3 08:04:08 polariseer pluto[19762]: "peperstraat" #7330: starting keying attempt 5 of an unlimited number
>>>> Nov  3 08:04:08 polariseer pluto[19762]: "peperstraat" #7516: initiating Main Mode to replace #7330
>>>> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7341: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
>>>> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7341: starting keying attempt 69 of an unlimited number
>>>> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7519: initiating Main Mode to replace #7341
>>>> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7333: max number of retransmissions (20) reached STATE_MAIN_I1.  No response (or no acceptable response) to our first IKE message
>>>> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7333: starting keying attempt 37 of an unlimited number
>>>> Nov  3 08:04:14 polariseer pluto[19762]: "peperstraat" #7527: initiating Main Mode to replace #7333
>>>> ---/---
>>>>
>>>> Could anyone shed some light on why this would be happening?
>>>> Since I got a fair number of tunnels, the logs are filling up quite fast this way.
>>>>
>>>> (At first I thought it was a keylife mismatch, but on the drayteks the
>>>> key lifetimes are set to 8 hours for phase 1, and 1 hour for phase 2, which,
>>>> if I read the manpage correctly, are the defaults of salifetime and
>>>> ikelifetime, respectively.)
>>>>
>>>> Thanks,
>>>>
>>>> roel
>>>>
>>>>
>>>> Setup:
>>>> Slackware 13.1, kernel 2.6.32.23
>>>> Openswan version: happens with all tested versions: 2.6.29, 2.6.31,
>>>> latest git
>>>>
>>>> ---/ ipsec.conf /---
>>>> version 2.0
>>>> config setup
>>>>     interfaces="ipsec0=eth1"
>>>>     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.0.0.0/24
>>>>     oe=off
>>>>     protostack=klips
>>>>
>>>> conn peperstraat
>>>>           right=188.204.xxx.yyy
>>>>           rightsubnet=10.10.8.1/24
>>>>           also=general
>>>>
>>>> conn general
>>>>           type=tunnel
>>>>           left=87.253.148.33
>>>>           leftsubnet=10.0.0.1/24
>>>>           authby=secret
>>>>           auto=route
>>>>           pfs=yes
>>>>           ike=3des
>>>>           dpddelay=30
>>>>           dpdtimeout=150
>>>>           dpdaction=restart
>>>> ---/---
>>>>
>>>>
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list