[Openswan Users] Issue with connecting back to openswan server
Gregory Durham
gregory.durham at gmail.com
Thu Dec 20 11:00:25 EST 2012
I am sorry, you are correct, The issue is that I am unable to
reconnect, I get a gateway does not respond error on the mac side, and
the below logs on openswan.
On Wed, Dec 19, 2012 at 9:44 PM, Elison Niven
<elison.niven at elitecore.com> wrote:
> You did not mention what the issue is !
> Why do you have rekey=no in your config. You realize that once the SA
> expires, the connection will be down unless the other end rekeys?
>
>
> On Thu 20 Dec 2012 07:02:16 AM IST, Gregory Durham wrote:
>>
>> Hello,
>> I seem to have an issue that I am having issues resolving, and cannot
>> tell where the issue is at. Env info:
>> centos 6.3
>> openswan Linux Openswan U2.6.38/K2.6.32-279.el6.x86_64 (netkey)
>>
>> xl2tpd: xl2tpd-1.3.1-5.el6.x86_64
>>
>> Mac os x default vpn client on 10.7 and 10.8.
>>
>>
>> I am unable to reproduce the error by hand, however it appears to
>> happen after some time of non use, this happens every other day or so.
>> The fix has been to service ipsec restart. Again, I have not been able
>> to nail down the issue:
>> I replace my originating IP address with My_IP and the openswan
>> server's ip with openswan_ip
>>
>> Thanks,
>> Greg
>>
>> Verbose logging:
>>
>>
>>
>> ==> /var/log/messages <==
>> Dec 20 01:16:04 centos63 xl2tpd[5966]: Maximum retries exceeded for
>> tunnel 39372. Closing.
>> Dec 20 01:16:04 centos63 xl2tpd[5966]: Connection 42 closed to My_IP,
>> port 52544 (Timeout)
>>
>> ==> /var/log/secure <==
>> Dec 20 01:16:13 centos63 pluto[29573]: |
>> Dec 20 01:16:13 centos63 pluto[29573]: | next event EVENT_DPD in 0
>> seconds for #18
>> Dec 20 01:16:13 centos63 pluto[29573]: | *time to handle event
>> Dec 20 01:16:13 centos63 pluto[29573]: | handling event EVENT_DPD
>> Dec 20 01:16:13 centos63 pluto[29573]: | event after this is
>> EVENT_NAT_T_KEEPALIVE in 3 seconds
>> Dec 20 01:16:13 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:13 centos63 pluto[29573]: | inserting event EVENT_DPD,
>> timeout in 15 seconds for #18
>> Dec 20 01:16:13 centos63 pluto[29573]: | state: 17 requesting event
>> none to be deleted by
>> /root/rpmbuild/BUILD/openswan-2.6.38/programs/pluto/dpd.c:201
>> Dec 20 01:16:13 centos63 pluto[29573]: | inserting event
>> EVENT_DPD_TIMEOUT, timeout in 30 seconds for #17
>> Dec 20 01:16:13 centos63 pluto[29573]: | sending 92 bytes for ISAKMP
>> notify through eth0:4500 to My_IP:4500 (using #17)
>> Dec 20 01:16:13 centos63 pluto[29573]: | next event
>> EVENT_NAT_T_KEEPALIVE in 3 seconds
>> Dec 20 01:16:13 centos63 pluto[29573]: |
>> Dec 20 01:16:13 centos63 pluto[29573]: | *received 92 bytes from
>> My_IP:4500 on eth0 (port=4500)
>> Dec 20 01:16:13 centos63 pluto[29573]: | **parse ISAKMP Message:
>> Dec 20 01:16:13 centos63 pluto[29573]: | initiator cookie:
>> Dec 20 01:16:13 centos63 pluto[29573]: | d6 d4 80 0b 24 cb 36 a2
>> Dec 20 01:16:13 centos63 pluto[29573]: | responder cookie:
>> Dec 20 01:16:13 centos63 pluto[29573]: | b9 c7 3c 8e a5 e4 3f f3
>> Dec 20 01:16:13 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_HASH
>> Dec 20 01:16:13 centos63 pluto[29573]: | ISAKMP version: ISAKMP
>> Version 1.0 (rfc2407)
>> Dec 20 01:16:13 centos63 pluto[29573]: | exchange type:
>> ISAKMP_XCHG_INFO
>> Dec 20 01:16:13 centos63 pluto[29573]: | flags: ISAKMP_FLAG_ENCRYPTION
>> Dec 20 01:16:13 centos63 pluto[29573]: | message ID: 94 1f 0c 58
>> Dec 20 01:16:13 centos63 pluto[29573]: | length: 92
>> Dec 20 01:16:13 centos63 pluto[29573]: | processing version=1.0
>> packet with exchange type=ISAKMP_XCHG_INFO (5)
>> Dec 20 01:16:13 centos63 pluto[29573]: | ICOOKIE: d6 d4 80 0b 24 cb 36
>> a2
>> Dec 20 01:16:13 centos63 pluto[29573]: | RCOOKIE: b9 c7 3c 8e a5 e4 3f
>> f3
>> Dec 20 01:16:13 centos63 pluto[29573]: | state hash entry 7
>> Dec 20 01:16:13 centos63 pluto[29573]: | peer and cookies match on
>> #18, provided msgid 00000000 vs c454ebd5/00000000
>> Dec 20 01:16:13 centos63 pluto[29573]: | peer and cookies match on
>> #17, provided msgid 00000000 vs 00000000/00000000
>> Dec 20 01:16:13 centos63 pluto[29573]: | p15 state object #17 found,
>> in STATE_MAIN_R3
>> Dec 20 01:16:13 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:13 centos63 pluto[29573]: | got payload
>> 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
>> Dec 20 01:16:13 centos63 pluto[29573]: | ***parse ISAKMP Hash Payload:
>> Dec 20 01:16:13 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_N
>> Dec 20 01:16:13 centos63 pluto[29573]: | length: 24
>> Dec 20 01:16:13 centos63 pluto[29573]: | got payload
>> 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
>> Dec 20 01:16:13 centos63 pluto[29573]: | ***parse ISAKMP Notification
>> Payload:
>> Dec 20 01:16:13 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_NONE
>> Dec 20 01:16:13 centos63 pluto[29573]: | length: 32
>> Dec 20 01:16:13 centos63 pluto[29573]: | DOI: ISAKMP_DOI_IPSEC
>> Dec 20 01:16:13 centos63 pluto[29573]: | protocol ID: 1
>> Dec 20 01:16:13 centos63 pluto[29573]: | SPI size: 16
>> Dec 20 01:16:13 centos63 pluto[29573]: | Notify Message Type:
>> R_U_THERE_ACK
>> Dec 20 01:16:13 centos63 pluto[29573]: | removing 8 bytes of padding
>> Dec 20 01:16:13 centos63 pluto[29573]: | info: d6 d4 80 0b 24 cb 36
>> a2 b9 c7 3c 8e a5 e4 3f f3
>> Dec 20 01:16:13 centos63 pluto[29573]: | info: 00 00 15 e6
>> Dec 20 01:16:13 centos63 pluto[29573]: | processing informational
>> R_U_THERE_ACK (36137)
>> Dec 20 01:16:13 centos63 pluto[29573]: | state: 17 requesting event
>> EVENT_DPD_TIMEOUT to be deleted by
>> /root/rpmbuild/BUILD/openswan-2.6.38/programs/pluto/dpd.c:542
>> Dec 20 01:16:13 centos63 pluto[29573]: | complete state transition
>> with STF_IGNORE
>> Dec 20 01:16:13 centos63 pluto[29573]: | * processed 0 messages from
>> cryptographic helpers
>> Dec 20 01:16:13 centos63 pluto[29573]: | next event
>> EVENT_NAT_T_KEEPALIVE in 3 seconds
>> Dec 20 01:16:13 centos63 pluto[29573]: | next event
>> EVENT_NAT_T_KEEPALIVE in 3 seconds
>> Dec 20 01:16:16 centos63 pluto[29573]: |
>> Dec 20 01:16:16 centos63 pluto[29573]: | next event
>> EVENT_NAT_T_KEEPALIVE in 0 seconds
>> Dec 20 01:16:16 centos63 pluto[29573]: | *time to handle event
>> Dec 20 01:16:16 centos63 pluto[29573]: | handling event
>> EVENT_NAT_T_KEEPALIVE
>> Dec 20 01:16:16 centos63 pluto[29573]: | event after this is
>> EVENT_PENDING_PHASE2 in 11 seconds
>> Dec 20 01:16:16 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:16 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:16 centos63 pluto[29573]: | sending 1 bytes for NAT-T
>> Keep Alive through eth0:4500 to My_IP:4500 (using #18)
>> Dec 20 01:16:16 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:16 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:16 centos63 pluto[29573]: | sending 1 bytes for NAT-T
>> Keep Alive through eth0:4500 to My_IP:4500 (using #17)
>> Dec 20 01:16:16 centos63 pluto[29573]: | inserting event
>> EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
>> Dec 20 01:16:16 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 11 seconds
>> Dec 20 01:16:17 centos63 pluto[29573]: |
>> Dec 20 01:16:17 centos63 pluto[29573]: | *received 92 bytes from
>> My_IP:4500 on eth0 (port=4500)
>> Dec 20 01:16:17 centos63 pluto[29573]: | **parse ISAKMP Message:
>> Dec 20 01:16:17 centos63 pluto[29573]: | initiator cookie:
>> Dec 20 01:16:17 centos63 pluto[29573]: | d6 d4 80 0b 24 cb 36 a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | responder cookie:
>> Dec 20 01:16:17 centos63 pluto[29573]: | b9 c7 3c 8e a5 e4 3f f3
>> Dec 20 01:16:17 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_HASH
>> Dec 20 01:16:17 centos63 pluto[29573]: | ISAKMP version: ISAKMP
>> Version 1.0 (rfc2407)
>> Dec 20 01:16:17 centos63 pluto[29573]: | exchange type:
>> ISAKMP_XCHG_INFO
>> Dec 20 01:16:17 centos63 pluto[29573]: | flags: ISAKMP_FLAG_ENCRYPTION
>> Dec 20 01:16:17 centos63 pluto[29573]: | message ID: b7 34 20 f1
>> Dec 20 01:16:17 centos63 pluto[29573]: | length: 92
>> Dec 20 01:16:17 centos63 pluto[29573]: | processing version=1.0
>> packet with exchange type=ISAKMP_XCHG_INFO (5)
>> Dec 20 01:16:17 centos63 pluto[29573]: | ICOOKIE: d6 d4 80 0b 24 cb 36
>> a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | RCOOKIE: b9 c7 3c 8e a5 e4 3f
>> f3
>> Dec 20 01:16:17 centos63 pluto[29573]: | state hash entry 7
>> Dec 20 01:16:17 centos63 pluto[29573]: | peer and cookies match on
>> #18, provided msgid 00000000 vs c454ebd5/00000000
>> Dec 20 01:16:17 centos63 pluto[29573]: | peer and cookies match on
>> #17, provided msgid 00000000 vs 00000000/00000000
>> Dec 20 01:16:17 centos63 pluto[29573]: | p15 state object #17 found,
>> in STATE_MAIN_R3
>> Dec 20 01:16:17 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:17 centos63 pluto[29573]: | got payload
>> 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
>> Dec 20 01:16:17 centos63 pluto[29573]: | ***parse ISAKMP Hash Payload:
>> Dec 20 01:16:17 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_D
>> Dec 20 01:16:17 centos63 pluto[29573]: | length: 24
>> Dec 20 01:16:17 centos63 pluto[29573]: | got payload
>> 0x1000(ISAKMP_NEXT_D) needed: 0x0 opt: 0x0
>> Dec 20 01:16:17 centos63 pluto[29573]: | ***parse ISAKMP Delete Payload:
>> Dec 20 01:16:17 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_NONE
>> Dec 20 01:16:17 centos63 pluto[29573]: | length: 28
>> Dec 20 01:16:17 centos63 pluto[29573]: | DOI: ISAKMP_DOI_IPSEC
>> Dec 20 01:16:17 centos63 pluto[29573]: | protocol ID: 1
>> Dec 20 01:16:17 centos63 pluto[29573]: | SPI size: 16
>> Dec 20 01:16:17 centos63 pluto[29573]: | number of SPIs: 1
>> Dec 20 01:16:17 centos63 pluto[29573]: | removing 12 bytes of padding
>> Dec 20 01:16:17 centos63 pluto[29573]: | ICOOKIE: d6 d4 80 0b 24 cb 36
>> a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | RCOOKIE: b9 c7 3c 8e a5 e4 3f
>> f3
>> Dec 20 01:16:17 centos63 pluto[29573]: | state hash entry 7
>> Dec 20 01:16:17 centos63 pluto[29573]: | v1 peer and cookies match on
>> #18, provided msgid 00000000 vs c454ebd5
>> Dec 20 01:16:17 centos63 pluto[29573]: | v1 peer and cookies match on
>> #17, provided msgid 00000000 vs 00000000
>> Dec 20 01:16:17 centos63 pluto[29573]: | v1 state object #17 found, in
>> STATE_MAIN_R3
>> Dec 20 01:16:17 centos63 pluto[29573]: | processing connection
>> l2tp-psk[12] My_IP
>> Dec 20 01:16:17 centos63 pluto[29573]: "l2tp-psk"[12] My_IP #17:
>> received Delete SA payload: deleting ISAKMP State #17
>> Dec 20 01:16:17 centos63 pluto[29573]: | deleting state #17
>> Dec 20 01:16:17 centos63 pluto[29573]: | sending 92 bytes for delete
>> notify through eth0:4500 to My_IP:4500 (using #17)
>> Dec 20 01:16:17 centos63 pluto[29573]: | del: d6 d4 80 0b 24 cb 36
>> a2 b9 c7 3c 8e a5 e4 3f f3
>> Dec 20 01:16:17 centos63 pluto[29573]: packet from My_IP:4500:
>> received and ignored informational message
>> Dec 20 01:16:17 centos63 pluto[29573]: | complete state transition
>> with STF_IGNORE
>> Dec 20 01:16:17 centos63 pluto[29573]: | * processed 0 messages from
>> cryptographic helpers
>> Dec 20 01:16:17 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 10 seconds
>> Dec 20 01:16:17 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 10 seconds
>> Dec 20 01:16:17 centos63 pluto[29573]: |
>> Dec 20 01:16:17 centos63 pluto[29573]: | *received 76 bytes from
>> My_IP:4500 on eth0 (port=4500)
>> Dec 20 01:16:17 centos63 pluto[29573]: | **parse ISAKMP Message:
>> Dec 20 01:16:17 centos63 pluto[29573]: | initiator cookie:
>> Dec 20 01:16:17 centos63 pluto[29573]: | d6 d4 80 0b 24 cb 36 a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | responder cookie:
>> Dec 20 01:16:17 centos63 pluto[29573]: | b9 c7 3c 8e a5 e4 3f f3
>> Dec 20 01:16:17 centos63 pluto[29573]: | next payload type:
>> ISAKMP_NEXT_HASH
>> Dec 20 01:16:17 centos63 pluto[29573]: | ISAKMP version: ISAKMP
>> Version 1.0 (rfc2407)
>> Dec 20 01:16:17 centos63 pluto[29573]: | exchange type:
>> ISAKMP_XCHG_INFO
>> Dec 20 01:16:17 centos63 pluto[29573]: | flags: ISAKMP_FLAG_ENCRYPTION
>> Dec 20 01:16:17 centos63 pluto[29573]: | message ID: 89 b0 e6 47
>> Dec 20 01:16:17 centos63 pluto[29573]: | length: 76
>> Dec 20 01:16:17 centos63 pluto[29573]: | processing version=1.0
>> packet with exchange type=ISAKMP_XCHG_INFO (5)
>> Dec 20 01:16:17 centos63 pluto[29573]: | ICOOKIE: d6 d4 80 0b 24 cb 36
>> a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | RCOOKIE: b9 c7 3c 8e a5 e4 3f
>> f3
>> Dec 20 01:16:17 centos63 pluto[29573]: | state hash entry 7
>> Dec 20 01:16:17 centos63 pluto[29573]: | peer and cookies match on
>> #18, provided msgid 00000000 vs c454ebd5/00000000
>> Dec 20 01:16:17 centos63 pluto[29573]: | p15 state object not found
>> Dec 20 01:16:17 centos63 pluto[29573]: | ICOOKIE: d6 d4 80 0b 24 cb 36
>> a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | RCOOKIE: 00 00 00 00 00 00 00
>> 00
>> Dec 20 01:16:17 centos63 pluto[29573]: | state hash entry 12
>> Dec 20 01:16:17 centos63 pluto[29573]: | v1 state object not found
>> Dec 20 01:16:17 centos63 pluto[29573]: packet from My_IP:4500:
>> Informational Exchange is for an unknown (expired?) SA with
>> MSGID:0x47e6b089
>> Dec 20 01:16:17 centos63 pluto[29573]: | - unknown SA's
>> md->hdr.isa_icookie:
>> Dec 20 01:16:17 centos63 pluto[29573]: | d6 d4 80 0b 24 cb 36 a2
>> Dec 20 01:16:17 centos63 pluto[29573]: | - unknown SA's
>> md->hdr.isa_rcookie:
>> Dec 20 01:16:17 centos63 pluto[29573]: | b9 c7 3c 8e a5 e4 3f f3
>> Dec 20 01:16:17 centos63 pluto[29573]: | * processed 0 messages from
>> cryptographic helpers
>> Dec 20 01:16:17 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 10 seconds
>> Dec 20 01:16:17 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 10 seconds
>> Dec 20 01:16:18 centos63 pluto[29573]: |
>> Dec 20 01:16:18 centos63 pluto[29573]: | *received kernel message
>> Dec 20 01:16:18 centos63 pluto[29573]: | delete expired bare shunt
>> eroute openswan_ip/32:0 --17-> My_IP/32:0 => %pass (raw_eroute)
>> Dec 20 01:16:18 centos63 pluto[29573]: | raw_eroute result=1
>> Dec 20 01:16:18 centos63 pluto[29573]: | delete bare shunt: null pointer
>> Dec 20 01:16:18 centos63 pluto[29573]: | * processed 0 messages from
>> cryptographic helpers
>> Dec 20 01:16:18 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 9 seconds
>> Dec 20 01:16:18 centos63 pluto[29573]: | next event
>> EVENT_PENDING_PHASE2 in 9 seconds
>>
>> Openswan config
>>
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> # Debug-logging controls: "none" for (almost) none, "all" for
>> lots.
>> klipsdebug=all
>> plutodebug="control parsing"
>> # For Red Hat Enterprise Linux and Fedora, leave
>> protostack=netkey
>> protostack=netkey
>> nat_traversal=yes
>>
>> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>> oe=off
>> interfaces="%defaultroute"
>> # Enable this if you see "failed to find any available worker"
>> # nhelpers=0
>>
>> conn l2tp-psk
>> authby=secret
>> pfs=no
>> auto=add
>> keyingtries=3
>> rekey=no
>> ikelifetime=8h
>> type=transport
>> keylife=1h
>> left=%defaultroute
>> leftprotoport=17/1701
>> right=%any
>> rightprotoport=17/0
>> rightsubnet=vhost:%no,%priv
>> dpddelay=15
>> dpdtimeout=30
>> dpdaction=clear
>> forceencaps=yes
>>
>>
>> xl2tpd.conf:
>> [global]
>> ipsec saref = yes
>> listen-addr = pubip
>> force userspace = yes
>> [lns default]
>> local ip = ipaddress
>> ip range = range
>> require chap = yes
>> refuse pap = yes
>> require authentication = yes
>> ppp debug = yes
>> length bit = yes
>> pppoptfile = /etc/ppp/options.xl2tpd
>>
>>
>> options.xl2tpd
>> require-mschap-v2
>> ms-dns 8.8.8.8
>> asyncmap 0
>> auth
>> crtscts
>> lock
>> hide-password
>> modem
>> nodefaultroute
>> debug
>> name l2tpd
>> proxyarp
>> lcp-echo-interval 30
>> lcp-echo-failure 4
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>
> --
> Best Regards,
> Elison Niven
More information about the Users
mailing list