[Openswan Users] When SA about to expire, IPsec SA and ISAKMP SA are renewed at same time, possibly result in connectivity lost with Juniper router
Sheng Yang
sheng at yasker.org
Thu Aug 9 22:00:47 EDT 2012
Hi,
I've connected Openswan(debian squeeze) to Juniper J2320(release: 10.2R3.10).
In a test, we set sa_lifetime and esp_lifetime to both 300 seconds,
later we found the connection is dropped from time to time.
After spend several days on this issue, I finally found there is
something wrong with openswan.
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #50:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW to replace #49
{using isakmp#48 msgid:07f373d8 proposal=AES(12)_128-MD5(1)_128
pfsgroup=no-pfs}
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
initiating Main Mode to replace #48
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #50:
transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #50:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x874fdf0d <0x69f76bbc xfrm=AES_128-HMAC_MD5 NATOA=none
NATD=none DPD=none}
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
received Vendor ID payload [Dead Peer Detection]
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
ignoring unknown Vendor ID payload
[699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-01]
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
ignoring Vendor ID payload [draft-stenberg-ipsec-nat-traversal-02]
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] method set
to=107
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,
but already using method 107
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set
to=108
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
STATE_MAIN_I2: sent MI2, expecting MR2
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT
detected
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
STATE_MAIN_I3: sent MI3, expecting MR3
Aug 9 22:16:36 r-3-TEST pluto[2889]: | protocol/port in Phase 1 ID
Payload is 17/0. accepted with port_floating NAT-T
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
Main mode peer ID is ID_IPV4_ADDR: '10.223.157.180'
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 9 22:16:36 r-3-TEST pluto[2889]: "vpn-10.223.157.180/0x1" #51:
STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=aes_128 prf=oakley_md5 group=modp1024}
More information about the Users
mailing list