[Openswan Users] UDP 4500 CAN'T reach after some time

Zhiping Liu flyingzpl at gmail.com
Tue Feb 7 03:42:43 EST 2012


HI,All:

I configured a net2net ipsec tunnel with openswan 2.6.31 on both
side.here's two connection topology:

1. Connection topology
connection 1: Server A-->GWA-----INTERNET------------Server B.
connection 2: Server C-->GWB-----INTERNET------------GWA-->ServerA

2. Connection 1 config file on Server A:

conn STEST2
        type = tunnel
        auto = start
        keyexchange = ike
        authby = secret
        auth = esp
        esp = 3DES-MD5
        ike = 3DES-MD5-MODP1024
        aggrmode = yes
        pfs = yes
        left = %defaultroute
        right = #SERVER B IP#
        leftid = @y
        rightid = @x
        dpddelay = 30
        dpdtimeout = 120
        dpdaction = restart_by_peer
        leftsubnets = {x.x.x.x/x.x.x.x}
        rightsubnets = { x.x.x.x/x.x.x.x }
#


3. Connection 1 config file on Server B:

conn STEST2
        type = tunnel
        auto = add
        keyexchange = ike
        authby = secret
        auth = esp
        esp = 3DES-MD5
        ike = 3DES-MD5-MODP1024
        aggrmode = yes
        pfs = yes
        left = %defaultroute
        right = 0.0.0.0
        leftid = @x
        rightid = @y
        dpddelay = 30
        dpdtimeout = 120
        dpdaction = hold
        leftsubnets = { {x.x.x.x/x.x.x.x }
        rightsubnets = { {x.x.x.x/x.x.x.x }


Because Server C have to connect to Server A,so I have natted port 500 and
4500 to Server A on GWA.

In the begging,everything is fine,IPSEC SA Established,ping success from
each side to other side,but after a day or two,connection 1 is down.

4.  I checked the tunnel status on Server A and Server  B.
    Server A shows ipsec phase2
    Server B show ipsec phase1.

5. log file on both side

   on Server A:
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "STEST1/1x1" #9561:
initiating Aggressive Mode #9561, connection "changxingdao/1x1"
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
received Vendor ID payload [Dead Peer Detection]
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
received Vendor ID payload [RFC 3947] method set to=109
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
Aggressive mode peer ID is ID_FQDN: '@c'
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
Dead Peer Detection (RFC 3706): enabled
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW
{using isakmp#9561 msgid:d74d6729 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 12 08:10:12 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
retransmitting in response to duplicate packet; already STATE_AGGR_I2
Jan 12 08:10:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
retransmitting in response to duplicate packet; already STATE_AGGR_I2
Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562: max
number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562:
starting keying attempt 2 of an unlimited number
Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to
replace #9562 {using isakmp#9561 msgid:8ae153af
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563: max
number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563:
starting keying attempt 3 of an unlimited number
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9564:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to
replace #9563 {using isakmp#9561 msgid:0d7aa774
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
DPD: No response from peer - declaring peer dead
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
DPD: Restarting all connections that share this peer
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
terminating SAs using this connection
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9564:
deleting state (STATE_QUICK_I1)
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
deleting state (STATE_AGGR_I2)

   on Server B:

Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [Dead Peer Detection]
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [RFC 3947] method set to=109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "STEST1/1x1"[191] X #273:
Aggressive mode peer ID is ID_FQDN: '@a'
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: responding to Aggressive Mode, state #273, connection "STEST/1x1"
from 114.87.175.117
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: enabling possible NAT-traversal with method 4
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: STATE_AGGR_R1: sent AR1, expecting AI2
Jan 12 09:08:53 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#272: max number of retransmissions (2) reached STATE_AGGR_R1
Jan 12 09:09:31 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: max number of retransmissions (2) reached STATE_AGGR_R1



I tried restart ipsec on both side,even reboot the machine,nothing
changed,it seems that udp 4500 between Server A and Server B is down,so i
did tcpdump on Server A and Server B.

6. tcpdump on both side

   tcpdump on Server A shows udp port 500 between A and B,and we can see
udp 4500 packet send from Server A to Server B,but no reply!
   On Server B,it only shows udp port 500 packet,no udp port 4500 at all.

7. Accidentally,i disabled ipsec on Server A for a few minutes,may be 5
minutes,and restart ipsec ,IPSEC SA establlished!


I think this issue is linux ip_conntrack module related,may be something
bad happend in GWA with connection 1,after I stopped ipsec on Server A for
5 minutes,udp connection expires on GWA,
when i restart ipsec on Server A after 5 minutes ,new udp connections of
port 500 and port 4500 can be established.

But i can't do anything on GWA,is this an openswan issue or linux
ip_conntrack issue? Do we have some params to deal with this situation?

need your help!

Thanks in advance

--ZPL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120207/839d3806/attachment-0001.html>


More information about the Users mailing list