[Openswan Users] UDP 4500 CAN'T reach after some time
Zhiping Liu
flyingzpl at gmail.com
Tue Feb 7 03:42:43 EST 2012
HI,All:
I configured a net2net ipsec tunnel with openswan 2.6.31 on both
side.here's two connection topology:
1. Connection topology
connection 1: Server A-->GWA-----INTERNET------------Server B.
connection 2: Server C-->GWB-----INTERNET------------GWA-->ServerA
2. Connection 1 config file on Server A:
conn STEST2
type = tunnel
auto = start
keyexchange = ike
authby = secret
auth = esp
esp = 3DES-MD5
ike = 3DES-MD5-MODP1024
aggrmode = yes
pfs = yes
left = %defaultroute
right = #SERVER B IP#
leftid = @y
rightid = @x
dpddelay = 30
dpdtimeout = 120
dpdaction = restart_by_peer
leftsubnets = {x.x.x.x/x.x.x.x}
rightsubnets = { x.x.x.x/x.x.x.x }
#
3. Connection 1 config file on Server B:
conn STEST2
type = tunnel
auto = add
keyexchange = ike
authby = secret
auth = esp
esp = 3DES-MD5
ike = 3DES-MD5-MODP1024
aggrmode = yes
pfs = yes
left = %defaultroute
right = 0.0.0.0
leftid = @x
rightid = @y
dpddelay = 30
dpdtimeout = 120
dpdaction = hold
leftsubnets = { {x.x.x.x/x.x.x.x }
rightsubnets = { {x.x.x.x/x.x.x.x }
Because Server C have to connect to Server A,so I have natted port 500 and
4500 to Server A on GWA.
In the begging,everything is fine,IPSEC SA Established,ping success from
each side to other side,but after a day or two,connection 1 is down.
4. I checked the tunnel status on Server A and Server B.
Server A shows ipsec phase2
Server B show ipsec phase1.
5. log file on both side
on Server A:
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: "STEST1/1x1" #9561:
initiating Aggressive Mode #9561, connection "changxingdao/1x1"
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
received Vendor ID payload [Dead Peer Detection]
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
received Vendor ID payload [RFC 3947] method set to=109
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
Aggressive mode peer ID is ID_FQDN: '@c'
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
Dead Peer Detection (RFC 3706): enabled
Jan 12 08:10:02 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW
{using isakmp#9561 msgid:d74d6729 proposal=3DES(3)_192-MD5(1)_128
pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 12 08:10:12 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
retransmitting in response to duplicate packet; already STATE_AGGR_I2
Jan 12 08:10:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
retransmitting in response to duplicate packet; already STATE_AGGR_I2
Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562: max
number of retransmissions (2) reached STATE_QUICK_I1. No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9562:
starting keying attempt 2 of an unlimited number
Jan 12 08:11:13 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to
replace #9562 {using isakmp#9561 msgid:8ae153af
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563: max
number of retransmissions (2) reached STATE_QUICK_I1. No acceptable
response to our first Quick Mode message: perhaps peer likes no proposal
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9563:
starting keying attempt 3 of an unlimited number
Jan 12 08:12:23 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9564:
initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEv2ALLOW to
replace #9563 {using isakmp#9561 msgid:0d7aa774
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=OAKLEY_GROUP_MODP1024}
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
DPD: No response from peer - declaring peer dead
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
DPD: Restarting all connections that share this peer
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
terminating SAs using this connection
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9564:
deleting state (STATE_QUICK_I1)
Jan 12 08:12:32 (none) authpriv.warn pluto[1517]: " STEST1 /1x1" #9561:
deleting state (STATE_AGGR_I2)
on Server B:
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [Dead Peer Detection]
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [RFC 3947] method set to=109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 109
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: packet from X:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: "STEST1/1x1"[191] X #273:
Aggressive mode peer ID is ID_FQDN: '@a'
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: responding to Aggressive Mode, state #273, connection "STEST/1x1"
from 114.87.175.117
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: enabling possible NAT-traversal with method 4
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1
Jan 12 09:08:21 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: STATE_AGGR_R1: sent AR1, expecting AI2
Jan 12 09:08:53 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#272: max number of retransmissions (2) reached STATE_AGGR_R1
Jan 12 09:09:31 (none) authpriv.warn pluto[1200]: " STEST1 /1x1"[191] X
#273: max number of retransmissions (2) reached STATE_AGGR_R1
I tried restart ipsec on both side,even reboot the machine,nothing
changed,it seems that udp 4500 between Server A and Server B is down,so i
did tcpdump on Server A and Server B.
6. tcpdump on both side
tcpdump on Server A shows udp port 500 between A and B,and we can see
udp 4500 packet send from Server A to Server B,but no reply!
On Server B,it only shows udp port 500 packet,no udp port 4500 at all.
7. Accidentally,i disabled ipsec on Server A for a few minutes,may be 5
minutes,and restart ipsec ,IPSEC SA establlished!
I think this issue is linux ip_conntrack module related,may be something
bad happend in GWA with connection 1,after I stopped ipsec on Server A for
5 minutes,udp connection expires on GWA,
when i restart ipsec on Server A after 5 minutes ,new udp connections of
port 500 and port 4500 can be established.
But i can't do anything on GWA,is this an openswan issue or linux
ip_conntrack issue? Do we have some params to deal with this situation?
need your help!
Thanks in advance
--ZPL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120207/839d3806/attachment-0001.html>
More information about the Users
mailing list