[Openswan Users] DPD and XAUTH problem
Murat Sezgin
sezginmurat at gmail.com
Wed Jan 5 16:46:05 EST 2011
Hi Paul,
I upgraded them (both server and client side) to 2.6.32 but the problem is
still here. It works fine if I don't use XAUTH. If I enabled XAUTH the issue
happens. The below is the client's log messages which may be critical for
DPD. I say "may be", because I am not very familiar with the code.
Have you ever tested openswan's DPD feature with XAUTH enabled? I read from
the ipsec.conf man page that the xauth connections cannot to rekey, so I
also disabled the rekey on the both sides, but it also did not help. Why I
did this? Because on the client side side I see ""xauthclient" #2: DPD:
could not find newest phase 1 state", and some google searches took me to
disable rekey.
Regards,
Murat
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 31 bc 27 bb 76 4f 1e 84 8f
7c 21 02 99 53 ba 5a
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | unpadded size is: 20
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | emitting 12 zero bytes of
encryption padding into ISAKMP Message
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | encrypting 32 using
OAKLEY_AES_CBC
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | next IV: e8 41 37 50 87 a0 ce
2a 1e 58 44 f0 b1 9c 52 21
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | emitting length of ISAKMP
Message: 60
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | inR1_outI2: instance
xauthclient[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2)
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | ICOOKIE: 06 b9 09 7c a0 c2 b4
5c
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | RCOOKIE: 6c ec 8b 27 c2 9f fd
ba
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | state hash entry 30
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | v1 peer and cookies match on
#2, provided msgid 00000000 vs 903dd311
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | v1 peer and cookies match on
#1, provided msgid 00000000 vs 00000000
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | v1 state object #1 found, in
STATE_XAUTH_I1
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: Dead Peer
Detection (RFC 3706): enabled
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | state: 2 requesting event none
to be deleted by
/home/xxxxx/Downloads/openswan-2.6.32/programs/pluto/dpd.c:162
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | inserting event EVENT_DPD,
timeout in 30 seconds for #2
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | event added after event
EVENT_DPD for #1
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | state: 1 requesting event
EVENT_DPD to be deleted by
/home/xxxxx/Downloads/openswan-2.6.32/programs/pluto/dpd.c:174
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | complete state transition with
STF_OK
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | deleting event for #2
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | sending reply packet to
192.168.2.142:500 (from port 500)
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | sending 60 bytes for
STATE_QUICK_I1 through eth0:500 to 192.168.2.142:500 (using #2)
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 06 b9 09 7c a0 c2 b4 5c 6c
ec 8b 27 c2 9f fd ba
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 08 10 20 01 90 3d d3 11 00
00 00 3c af 7f fc a6
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | c2 77 31 62 69 14 26 ae 93
39 fd f1 e8 41 37 50
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | 87 a0 ce 2a 1e 58 44 f0 b1
9c 52 21
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | inserting event
EVENT_SA_REPLACE, timeout in 28118 seconds for #2
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | event added after event
EVENT_REINIT_SECRET
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: "xauthclient" #2: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x2084c974 <0x09c7f7f1
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | modecfg pull: noquirk
policy:push not-client
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | phase 1 is done, looking for
phase 2 to unpend
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | complete state transition with
STF_INLINE
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | * processed 0 messages from
cryptographic helpers
Jan 5 13:27:40 xxxxx-laptop pluto[11823]: | next event EVENT_DPD in 30
seconds for #2
On Tue, Jan 4, 2011 at 6:50 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Tue, 4 Jan 2011, Murat Sezgin wrote:
>
> The client's version is; Openswan U2.6.26/K2.6.35-24-generic (netkey)
>> The server's version is: 2.6.24rc4
>>
>
> Both DPD and XAUTH are enabled. The connection is established
>> successfully, but when I unplug the cables between the peers, the client
>> does not timeout after the DPD timeout value. I see the below logs in the
>>
>
> Plese upgrade to 2.6.31 or 2.6.32. There were some DPD fixes that were
> brought in in those versions.
>
>
> My client's ipsec.conf file is as below:
>>
>
> dpddelay=30
>> dpdtimeout=120
>> dpdaction=hold
>>
>
> You probably want dpdaction=restart ?
>
> On the serve ryou want dpdaction=clear
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110105/170df0cf/attachment.html
More information about the Users
mailing list