[Openswan Users] IPSec hanging processes

Peter Shulkin pshulkin at demoulasmarketbasket.com
Thu Sep 16 15:38:13 EDT 2010 

Thanks in advance for any assistance you can give me.

 

I have a RedHat EL 5.4 server (2.6.18-164.el5), with disks from 2
Windows server 2003 R2 shares NFS hard-mounted on it.  I have IPSec
(openswan-2.6.21-5.el5) running from the Linux server to the Windows
servers.  The connections have been timing out after about 10-15
minutes, so I have cron jobs (keep-alive) every 10 minutes on the Linux
server that do an "ipsec auto -up acspri" and "ipsec auto -up acssec".
The connection to acspri works just fine, but the acssec command leaves
hanging processes (four for each 10 minute interval).  I can clear them
out by doing an "ipsec auto -down acssec", then "ipsec auto -up acssec"
but this causes the connection to break.  It eventually restarts, but
usually gives NFS timeouts and a number of these messages:

 

010 "acssec" #4351: STATE_MAIN_I1: retransmission; will wait 20s for
response

010 "acssec" #4351: STATE_MAIN_I1: retransmission; will wait 40s for
response

 

I end up with many, many processes hanging out there 

root      1739  1737  0 04:30 ?        00:00:00 /bin/sh -c
/usr/sbin/ipsec auto --up acssec 2>&1

root      1740  1739  0 04:30 ?        00:00:00 /bin/sh
/usr/libexec/ipsec/auto --up acssec

root      1744  1740  0 04:30 ?        00:00:00 /bin/sh
/usr/libexec/ipsec/auto --up acssec

root      1754  1752  0 04:30 ?        00:00:00 /usr/libexec/ipsec/whack
-name acssec -initiate

root      1941  1939  0 04:40 ?        00:00:00 /bin/sh -c
/usr/sbin/ipsec auto --up acssec 2>&1

root      1942  1941  0 04:40 ?        00:00:00 /bin/sh
/usr/libexec/ipsec/auto --up acssec

root      1946  1942  0 04:40 ?        00:00:00 /bin/sh
/usr/libexec/ipsec/auto --up acssec

root      1953  1951  0 04:40 ?        00:00:00 /usr/libexec/ipsec/whack
-name acssec -initiate

 

And so on.  The only difference between acspri and acssec is that acspri
has a process that is active on that directory most of the time.  The
keep-alive processes cause lots of entries over the course of a day, so
trying to get a "ps -ef" is very messy.

 

In the secure log, I see this:

Sep 16 15:20:47 store192 pluto[4653]: "acssec" #4428: received and
ignored informational message

Sep 16 15:22:05 store192 pluto[4653]: "acssec" #4428: ignoring Delete SA
payload: not encrypted

Sep 16 15:22:05 store192 pluto[4653]: "acssec" #4428: received and
ignored informational message

Sep 16 15:22:07 store192 pluto[4653]: "acssec" #4428: max number of
retransmissions (20) reached STATE_MAIN_I1.  No response (or no
acceptable response) to our first IKE message

Sep 16 15:22:07 store192 pluto[4653]: "acssec" #4428: starting keying
attempt 20 of an unlimited number

Sep 16 15:22:07 store192 pluto[4653]: "acssec" #4432: initiating Main
Mode to replace #4428

Sep 16 15:22:07 store192 pluto[4653]: "acssec" #4432: ignoring
informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000

Sep 16 15:22:07 store192 pluto[4653]: "acssec" #4432: received and
ignored informational message

 

In my ipsec.conf file:

conn acssec

        left=xxx.xxx.xxx.xxx

        leftnexthop= xxx.xxx.xxx.1

        right=yyy.yyy.yyy.yyy

        rightnexthop= yyy.yyy.yyy.1

        keyingtries=%forever

        type=transport

        authby=secret

        salifetime=28800s

        auto=add

        keyexchange=ike

        pfs=no

        esp=3des-md5-96

 

Acspri and acssec are identical, except for their IP addresses.

 

Can anyone help me stop these processes from hanging, or help me find
another way to keep the shares active longer?

 

Thanks very much,

 

Peter

 

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20100916/8cfee349/attachment.html

More information about the Users mailing list