[Openswan Users] no SA for saref=1

Paul Wouters paul at xelerance.com
Wed Jan 26 11:00:09 EST 2011

On Wed, 26 Jan 2011, Alin Artiom Kenibasov wrote:

> I have a tunnel between 2 networks, one end is OpenSWAN and another is a cisco router. Tunnel is IKE+ESP VPN
> The problem is that after some time of normal functioning tunnel dies (I cannot ping other side). In OpenSWAN logs I can see this:
> Jan 26 16:52:52 router user.info kernel: klips_debug:ipsec_tunnel_neigh_setup: 
> Jan 26 16:52:53 router user.err kernel: KLIPS klips_debug:ipsec_mast_start_xmit: mast0: no SA for
> saref=1                                                      
> Jan 26 16:52:54 router user.info kernel: klips_debug:ipsec_tunnel_neigh_setup: 

You are using protostack=mast?

> Can anybody say what is the problem?

It seems like you use mast, but there is no tunnel for SAref=1. Probably if you bring the tunnel back up
it will get a new saref and it will work. What does ipsec verify say about SAref support?

If this is just a single subnet-subnet tunnel, I would use protostack=klips instead and not bother
with SArefs.

> Linux Openswan 2.6.28 (klips)

If using sarefs, please at least use 2.6.32.

> config setup
>     klipsdebug="all"
>     plutodebug="all"
>     protostack=auto

Try protostack=klips instead?


More information about the Users mailing list