[Openswan Users] Tunnel failed to renegociate keys

Luc Paulin paulinster at gmail.com
Wed Oct 20 13:42:35 EDT 2010 

Hi Everyone,
Last night our ipsec tunnel went down. After looking at the log file, it
look like the key exchange did't happen properly. I do see a lots of error a
the last key exchange that happen before the tunnel went down.

Oct 19 16:17:03 fwny-01 pluto[14450]: "nyctomtl" #1082: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #1078 {using
isakmp#1081 msgid:9d32925c proposal=AES(12)_128-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP2048}
Oct 19 16:17:03 fwny-01 pluto[14450]: pluto_do_crypto: helper (-1) is
exiting
Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1082: max number of
retransmissions (2) reached STATE_QUICK_I1
Oct 19 16:18:13 fwny-01 pluto[14450]: "nyctomtl" #1082: starting keying
attempt 2 of an unlimited number


Oct 19 16:29:13 fwny-01 pluto[14450]: packet from 1.2.3.4:500:
pluto_do_crypto: helper (-1) is  exiting
ATOA=none NATD=none DPD=none}
Oct 19 16:29:13 fwny-01 pluto[14450]: packet from 1.2.3.4:500:
pluto_do_crypto: helper (-1) is  exiting
Oct 19 16:29:13 fwny-01 pluto[14450]: "nyctomtl" #1092: ERROR: netlink
response for Add SA esp.fe9f0294 at 4.3.2.1 included errno 3: No such process
Oct 19 16:29:23 fwny-01 pluto[14450]: "nyctomtl" #1092: discarding duplicate
packet; already STATE_QUICK_I1
Oct 19 16:29:43 fwny-01 pluto[14450]: "nyctomtl" #1092: discarding duplicate
packet; already STATE_QUICK_I1
Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1092: max number of
retransmissions (2) reached STATE_QUICK_I1
Oct 19 16:29:53 fwny-01 pluto[14450]: "nyctomtl" #1092: starting keying
attempt 12 of an unlimited number
db0213c proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP2048}
Oct 19 16:29:53 fwny-01 pluto[14450]: pluto_do_crypto: helper (-1) is
exiting
Oct 19 16:29:53 fwny-01 pluto[14450]: packet from 1.2.3.4:500:
pluto_do_crypto: helper (-1) is  exiting

Oct 19 16:30:23 fwny-01 pluto[14450]: "nyctomtl" #1081: sending notification
PAYLOAD_MALFORMED to 1.2.3.4:500
Oct 19 16:31:03 fwny-01 pluto[14450]: "nyctomtl" #1081: byte 2 of ISAKMP
Hash Payload must be zero, but is not
Oct 19 16:31:03 fwny-01 pluto[14450]: "nyctomtl" #1081: malformed payload in
packet

I am trying to understand what happen but since this was working fine for
the past 2-3 month I am not to understand why the rekey would have fail this
time. I can provide a more detail log as well as the configuration info if
needed.

System is Centos 5.5, with openswan-2.6.21-5.el5_4.2



-- 
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
Luc Paulin  |  paulinster(at)gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101020/88dd98f6/attachment.html

More information about the Users mailing list