[Openswan Users] no SA for saref=1
Paul Wouters
paul at xelerance.com
Wed Jan 26 11:00:09 EST 2011
On Wed, 26 Jan 2011, Alin Artiom Kenibasov wrote:
> I have a tunnel between 2 networks, one end is OpenSWAN and another is a cisco router. Tunnel is IKE+ESP VPN
>
> The problem is that after some time of normal functioning tunnel dies (I cannot ping other side). In OpenSWAN logs I can see this:
>
> Jan 26 16:52:52 router user.info kernel: klips_debug:ipsec_tunnel_neigh_setup:
>
> Jan 26 16:52:53 router user.err kernel: KLIPS klips_debug:ipsec_mast_start_xmit: mast0: no SA for
> saref=1
>
> Jan 26 16:52:54 router user.info kernel: klips_debug:ipsec_tunnel_neigh_setup:
>
You are using protostack=mast?
> Can anybody say what is the problem?
It seems like you use mast, but there is no tunnel for SAref=1. Probably if you bring the tunnel back up
it will get a new saref and it will work. What does ipsec verify say about SAref support?
If this is just a single subnet-subnet tunnel, I would use protostack=klips instead and not bother
with SArefs.
> Linux Openswan 2.6.28 (klips)
If using sarefs, please at least use 2.6.32.
> config setup
>
> klipsdebug="all"
>
> plutodebug="all"
>
> protostack=auto
Try protostack=klips instead?
Paul
More information about the Users
mailing list