[Openswan Users] ipsec / xl2tpd disconnecting in just under 1 hour

Matthew Twomey mtwomey at beakstar.com
Fri Apr 29 19:48:18 EDT 2011


Paul,

I agree that it appears to be some sort of re-key issue. However, I 
can't seem to get it working no matter what I try. I am running openswan 
on the Ubuntu client side, but that log message you mentioned below is 
from the server side, which is running strongswan.

Is there a trick to getting the two to inter-operate properly?

Thanks,

-Matt

On 04/22/2011 03:34 PM, Paul Wouters wrote:
> On Fri, 22 Apr 2011, Matthew Twomey wrote:
>
>> Well, after further digging into this, I'm wondering if it's
>> disconnecting due to the key expiring? Any thoughts?
>
> It looks more like a rekey failure. The IPsec connection rekeys, but the
> xl2tpd fails to pick up the new channel, fails and disconnects.
>
>>> X.X.X.X:10941 #173: sent QI2, IPsec SA established {ESP=>0xd56eda44
>>> <0xb3160bce NATOA=0.0.0.0}
>
> A NATOA of 0.0.0.0 is very strange and suspicious......
> I don't think that's an IETF RFC compliant answer? Is that openswan on
> the Ubuntu client?
>
> Paul
>
>> Thanks,
>>
>> -Matt
>>
>> On 04/19/2011 04:47 PM, Matthew Twomey wrote:
>>> Greetings,
>>>
>>> I've set up a "road warrior" style l2tp tunnel from a Linux client to a
>>> Linux host, but I it seems to drop consistently just under the 1 hour
>>> mark. It appears to drop weather I'm using it or not (so it doesn't
>>> appear to be an idle timeout). I'm fairly new to this sort of thing 
>>> in a
>>> Linux environment, but here's what I'm seeing in the logs.
>>>
>>> On the server just prior to the drop:
>>>
>>> ##### /var/log/messages/
>>> Apr 19 21:28:08 vyatta pluto[2019]: "remote-access-mac-zzz"[176]
>>> X.X.X.X:10941 #173: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY
>>> to replace #171 {using isakmp#172}
>>> Apr 19 21:28:08 vyatta pluto[2019]: "remote-access-mac-zzz"[176]
>>> X.X.X.X:10941 #173: Dead Peer Detection (RFC 3706) enabled
>>> Apr 19 21:28:08 vyatta pluto[2019]: "remote-access-mac-zzz"[176]
>>> X.X.X.X:10941 #173: sent QI2, IPsec SA established {ESP=>0xd56eda44
>>> <0xb3160bce NATOA=0.0.0.0}
>>> Apr 19 21:28:47 vyatta xl2tpd[2262]: Maximum retries exceeded for 
>>> tunnel
>>> 49382.  Closing.
>>> Apr 19 21:29:42 vyatta pppd[8828]: Modem hangup
>>> #####
>>>
>>> This is followed up with additional messages about things 
>>> disconnecting.
>>>
>>> On the client side I see (apologies, but the clock is off currently on
>>> one side - these logs are from the same timeframe):
>>>
>>> ##### /var/log/daemon
>>> Apr 19 16:28:46 localhost xl2tpd[16159]: Maximum retries exceeded for
>>> tunnel 35420.  Closing.
>>> Apr 19 16:28:47 localhost xl2tpd[16159]: Terminating pppd: sending TERM
>>> signal to pid 16216
>>> #####
>>>
>>> The client is an Ubuntu 10.10 system and the server is a Vyatta 
>>> software
>>> router:
>>>
>>> #####
>>> $ uname -a
>>> Linux vyatta 2.6.35-1-586-vyatta #1 SMP Fri Feb 4 05:07:37 PST 2011 
>>> i686
>>> GNU/Linux
>>> #####
>>>
>>> I'm not sure where I should be looking here or how to continue
>>> troubleshooting?
>>>
>>> Thanks,
>>>
>>> -Matt
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 
>>>
>>
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>



More information about the Users mailing list