[Openswan Users] Openswan and Cisco 3030
Daniel Cave
dan.cave at me.com
Mon Jul 9 05:16:37 EDT 2012
Zohair, Hi
Have you checked that the Cisco 3030 has got dead peer detection feature enabled also
Im wondering what the logs are you see on the 3030 device also when the tunnel fails - can you get those?
Does this happen at the same time every day or randomly?
Regards
dan
Fahrenheit IT.
On 9 Jul 2012, at 10:09, Zohair Raza wrote:
> Hi,
>
> I have recently setup a VPN between openswan and Cisco 3030, it
> connects without any issues but after some time the tunnel fails. I am
> new to openswan and can not find the root cause or solution of this
> problem even though I googled alot.
>
> Please can someone help me out, here is my config and logs
>
> openswan ipsec.conf:
>
> config setup
> # Debug-logging controls: "none" for (almost) none, "all" for lots.
> # klipsdebug=none
> # plutodebug="control parsing"
> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> protostack=netkey
> # nat_traversal=yes
> virtual_private=%v4:176.249.0.0/16
> oe=off
> myid=1.1.1.1
> # Enable this if you see "failed to find any available worker"
> # nhelpers=0
> klipsdebug=none
> plutodebug=none
> keep_alive=50
> interfaces=%defaultroute
>
>
> openswan tunnel config:
>
> conn TT-UK-1
>
> left=2.2.2.2
> leftsubnets={172.16.0.0/16 17.254.0.0/16 210.40.5.0/24}
>
> right=1.1.1.1
> rightsubnet=176.249.0.0/16
>
> keyexchange=ike
> pfs=no
> rekey=yes
>
> auto=start
> authby=secret
>
> phase2alg=3DES-SHA1
> ike=3DES-SHA1
>
> dpddelay=30
> compress=no
> type=tunnel
> dpdtimeout=30
> dpdaction=restart
>
> salifetime=28800s
> ikelifetime=86400s
>
>
> Logs when tunnel fails :
>
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD: No
> response from peer - declaring peer dead
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD:
> Restarting Connection
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
> state (STATE_QUICK_R2)
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
> state (STATE_QUICK_I2)
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
> state (STATE_QUICK_R2)
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
> netlink response for Del SA esp.2df00509 at 2.2.2.2 included errno 3: No
> such process
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
> netlink response for Del SA esp.3af14046 at 1.1.1.1 included errno 3: No
> such process
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
> state (STATE_QUICK_I2)
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
> netlink response for Del SA esp.8ad7896 at 2.2.2.2 included errno 3: No
> such process
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
> netlink response for Del SA esp.3a5f570a at 1.1.1.1 included errno 3: No
> such process
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: initiating
> Main Mode to replace #10
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.3.10:17168 to 172.16.12.221:16824 proto=17 state: fos_start
> because: acquire
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.3.89:10138 to 172.16.12.221:19624 proto=17 state: fos_start
> because: acquire
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.3.1:11784 to 172.16.12.221:13598 proto=17 state: fos_start
> because: acquire
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.3.233:10068 to 172.16.12.221:10166 proto=17 state: fos_start
> because: acquire
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
> Vendor ID payload [FRAGMENTATION c0000000]
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
> from state STATE_MAIN_I1 to state STATE_MAIN_I2
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
> STATE_MAIN_I2: sent MI2, expecting MR2
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
> Vendor ID payload [Cisco-Unity]
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
> Vendor ID payload [XAUTH]
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
> unknown Vendor ID payload [366b42f48b3b9dd8ac5c05fe5494759b]
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
> Vendor ID payload [Cisco VPN 3000 Series]
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
> from state STATE_MAIN_I2 to state STATE_MAIN_I3
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
> STATE_MAIN_I3: sent MI3, expecting MR3
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
> Vendor ID payload [Dead Peer Detection]
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Main mode
> peer ID is ID_IPV4_ADDR: '2.2.2.2'
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
> from state STATE_MAIN_I3 to state STATE_MAIN_I4
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #14: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:29e320e8 proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #15: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:0447f8ea proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #16: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:a01c9aed proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #17: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:532b0467 proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #18: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11
> {using isakmp#13 msgid:581cfb6d proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.3.27:8 to 172.16.12.221:0 proto=1 state: fos_start because:
> acquire
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #19: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:c2b4c48c proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.0.1:8 to 172.16.12.221:0 proto=1 state: fos_start because:
> acquire
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #20: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:5c42e8f9 proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
> 176.249.3.44:52787 to 172.16.12.221:80 proto=6 state: fos_start
> because: acquire
> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #21: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
> isakmp#13 msgid:bf505abf proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=no-pfs}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #10: received
> Delete SA payload: deleting ISAKMP State #10
> Jul 5 19:39:12 router-TT pluto[60606]: packet from 2.2.2.2:500:
> received and ignored informational message
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x13552476 <0xbd4999bd xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x4497ed1c <0x1d1db8f2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x1ee0fa85 <0xd7656b45 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x29dd0baa <0xfccca15b xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x23a597eb <0x26804c4c xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x6f2ac97f <0xa16f2f01 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x0a200766 <0x77bc128c xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: Dead Peer
> Detection (RFC 3706): enabled
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: transition
> from state STATE_QUICK_I1 to state STATE_QUICK_I2
> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x19bcc321 <0xb32bc1d8 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=enabled}
>
>
> Regards,
> Zohair Raza
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
Regards
Dan.
More information about the Users
mailing list