[Openswan Users] DPD and XAUTH problem

Murat Sezgin sezginmurat at gmail.com
Tue Jan 4 16:57:14 EST 2011


Hi all,

I am trying to make a direct connection between a openswan roadwarrior
client (ubuntu) and an openswan server.

The client's version is; Openswan U2.6.26/K2.6.35-24-generic (netkey)
The server's version is: 2.6.24rc4

The server is a VPN router.

Both DPD and XAUTH are enabled. The connection is established successfully,
but when I unplug the cables between the peers, the client does not timeout
after the DPD timeout value. I see the below logs in the /var/log/auth.log
file. Can you please tell me what is wrong here?

Jan  4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: initiating
Main Mode
Jan  4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: ignoring
unknown Vendor ID payload [4f454a64436d56714e727861]
Jan  4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: received
Vendor ID payload [Dead Peer Detection]
Jan  4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: received
Vendor ID payload [XAUTH]
Jan  4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: transition
from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan  4 13:36:43 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_MAIN_I2:
sent MI2, expecting MR2
Jan  4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: transition
from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan  4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_MAIN_I3:
sent MI3, expecting MR3
Jan  4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: Main mode peer
ID is ID_IPV4_ADDR: '192.168.2.142'
Jan  4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: transition
from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan  4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_md5 group=modp1536}
Jan  4 13:36:44 msezgin-laptop pluto[6001]: "xauthclient" #1: Dead Peer
Detection (RFC 3706): enabled
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: XAUTH:
Answering XAUTH challenge with user='guest1'
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: transition
from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1:
STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: Dead Peer
Detection (RFC 3706): enabled
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: XAUTH:
Successfully Authenticated
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: transition
from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1:
STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #1: Dead Peer
Detection (RFC 3706): enabled
Jan  4 13:36:49 msezgin-laptop pluto[6001]: "xauthclient" #2: initiating
Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1
msgid:057c1ccd proposal=defaults pfsgroup=OAKLEY_GROUP_MODP1536}
Jan  4 13:36:50 msezgin-laptop pluto[6001]: "xauthclient" #2: Dead Peer
Detection (RFC 3706): enabled
Jan  4 13:36:50 msezgin-laptop pluto[6001]: "xauthclient" #2: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan  4 13:36:50 msezgin-laptop pluto[6001]: "xauthclient" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4ba891cf
<0xd62162fc xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jan  4 13:37:20 msezgin-laptop pluto[6001]: "xauthclient" #2: DPD: could not
find newest phase 1 state


My client's ipsec.conf  file is as below:

config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        # plutodebug="control parsing"
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Again: only enable plutodebug or klipsdebug when asked by a
developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        #nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey

conn xauthclient
        left=%defaultroute
        leftxauthclient=yes
        right=192.168.2.142
        rightsubnet=192.168.0.0/24
        rightsourceip=192.168.0.1
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        authby=secret
        auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110104/563db0c2/attachment.html 


More information about the Users mailing list