[Openswan Users] VPN between Openswan and TMG drops after ~10 minutes

Bart Jeukendrup bart at vanlooenpartners.nl
Thu Aug 16 05:10:52 EDT 2012 

Hello,

I'm experiencing some problems connecting Openswan to Microsoft TMG.
The connection is being established succesfully, traffic flows to the other
side, but after ~10 minutes, the connection drops.
Only solution left is to restart OpenSwan and the tunnel is up again.
It's a very basic PSK net-to-net configuration, no NAT-T.

--
conn vpn
        type=tunnel
        authby=secret
        modecfgpull=no
        left=213.108.105.22
        leftid=213.108.105.22
        leftsubnet=172.16.100.1/32
        leftsourceip=172.16.100.1
        right=62.21.130.3
        rightsubnet=10.22.130.2/32
        ike=aes256-md5-modp1024
        ikelifetime=86400s
        keylife=28800s
        phase2=esp
        phase2alg=aes256-md5
        pfs=no
        auto=start
--

ipsec auto --status
000 #2: "vpn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 26553s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "vpn" esp.573fec00 at 62.21.130.3 esp.79f79b0b at 213.108.105.22
tun.0 at 62.21.130.3 tun.0 at 213.108.105.22 ref=0 refhim=4294901761
000 #1: "vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 83912s; newest ISAKMP; nodpd; idle; import:admin initiate
ipsec --version
Linux Openswan U2.6.32/K2.6.32-71.29.1.el6.x86_64 (netkey)
In the logfile I find the following message, right after bringing up the
VPN:

"vpn" #2: IKE message has the Commit Flag set but Pluto doesn't implement
this feature; ignoring flag
"vpn" #2: message ignored because it contains an unexpected payload type
(ISAKMP_NEXT_HASH)
"vpn" #2: sending encrypted notification INVALID_PAYLOAD_TYPE to
62.21.130.3:500
| sending 60 bytes for notification packet through eth0:0:500 to
62.21.130.3:500 (using #2)
After the 10 minutes, no additional messages can be found in the logfiles.
Also on the TMG, the logfiles also are giving no insights.

Any suggestions to fix this problem?

Thanks!

Bart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120816/7e0f97f4/attachment.html>

More information about the Users mailing list