[Openswan Users] Openswan and Cisco 3030
Zohair Raza
engineerzuhairraza at gmail.com
Fri Jul 13 07:31:18 EDT 2012
I would appreciate if someone can suggest any way to fix it
Thanks
Regards,
Zohair Raza
On Mon, Jul 9, 2012 at 2:17 PM, Zohair Raza
<engineerzuhairraza at gmail.com> wrote:
> Hi Daniel,
>
> Thanks for reply, yes dead peer detection is enabled on cisco
>
> Failure is random, sometime it fails very often and sometimes it stays for long
>
> This is what comes on cisco when tunnel fails
>
>
> 44708 07/09/2012 10:41:01.410 SEV=5 IKE/0 RPT=19392
> Could not find centry for IPSec SA delete message
>
> 44709 07/09/2012 10:52:31.670 SEV=5 IKE/50 RPT=1482 1.1.1.1
> Group [1.1.1.1]
> Connection terminated for peer 1.1.1.1.
> Reason: Peer Terminate
> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>
> 44712 07/09/2012 10:52:55.980 SEV=5 IKE/50 RPT=1483 1.1.1.1
> Group [1.1.1.1]
> Connection terminated for peer 1.1.1.1.
> Reason: Peer Terminate
> Remote Proxy 176.249.0.0, Local Proxy 213.40.195.0
>
> 44715 07/09/2012 10:52:55.990 SEV=5 IKE/50 RPT=1484 1.1.1.1
> Group [1.1.1.1]
> Connection terminated for peer 1.1.1.1.
> Reason: Peer Terminate
> Remote Proxy 176.249.0.0, Local Proxy 170.254.0.0
>
> 44718 07/09/2012 10:52:55.990 SEV=4 AUTH/23 RPT=50284 1.1.1.1
> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:25
>
> 44719 07/09/2012 10:52:55.990 SEV=4 AUTH/85 RPT=50276
> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:25
>
> 44720 07/09/2012 10:52:56.010 SEV=5 IKE/50 RPT=1485 1.1.1.1
> Group [1.1.1.1]
> Connection terminated for peer 1.1.1.1.
> Reason: Peer Terminate
> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>
> 44723 07/09/2012 10:52:56.020 SEV=5 IKE/0 RPT=19393
> Could not find centry for IPSec SA delete message
>
> 44724 07/09/2012 10:52:56.020 SEV=5 IKE/170 RPT=377 1.1.1.1
> Group [1.1.1.1]
> IKE Received delete for rekeyed centry
> IKE peer: 176.249.0.0, centry addr: 06ac2fa8, msgid: 0xd4057aa0
>
> 44727 07/09/2012 10:52:56.020 SEV=6 IKE/0 RPT=19394 1.1.1.1
> Group [1.1.1.1]
> Removing peer from peer table failed, no match!
>
> 44728 07/09/2012 10:52:56.030 SEV=4 AUTH/23 RPT=50285 1.1.1.1
> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:18
>
> 44729 07/09/2012 10:52:56.030 SEV=4 AUTH/85 RPT=50277
> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:18
>
> 44730 07/09/2012 10:52:58.010 SEV=4 IKE/119 RPT=53479 1.1.1.1
>
>
> Regards,
> Zohair Raza
>
>
>
>
> On Mon, Jul 9, 2012 at 1:16 PM, Daniel Cave <dan.cave at me.com> wrote:
>> Zohair, Hi
>>
>> Have you checked that the Cisco 3030 has got dead peer detection feature enabled also
>>
>> Im wondering what the logs are you see on the 3030 device also when the tunnel fails - can you get those?
>>
>> Does this happen at the same time every day or randomly?
>>
>> Regards
>>
>> dan
>>
>> Fahrenheit IT.
>>
>>
>> On 9 Jul 2012, at 10:09, Zohair Raza wrote:
>>
>>> Hi,
>>>
>>> I have recently setup a VPN between openswan and Cisco 3030, it
>>> connects without any issues but after some time the tunnel fails. I am
>>> new to openswan and can not find the root cause or solution of this
>>> problem even though I googled alot.
>>>
>>> Please can someone help me out, here is my config and logs
>>>
>>> openswan ipsec.conf:
>>>
>>> config setup
>>> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>>> # klipsdebug=none
>>> # plutodebug="control parsing"
>>> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>>> protostack=netkey
>>> # nat_traversal=yes
>>> virtual_private=%v4:176.249.0.0/16
>>> oe=off
>>> myid=1.1.1.1
>>> # Enable this if you see "failed to find any available worker"
>>> # nhelpers=0
>>> klipsdebug=none
>>> plutodebug=none
>>> keep_alive=50
>>> interfaces=%defaultroute
>>>
>>>
>>> openswan tunnel config:
>>>
>>> conn TT-UK-1
>>>
>>> left=2.2.2.2
>>> leftsubnets={172.16.0.0/16 17.254.0.0/16 210.40.5.0/24}
>>>
>>> right=1.1.1.1
>>> rightsubnet=176.249.0.0/16
>>>
>>> keyexchange=ike
>>> pfs=no
>>> rekey=yes
>>>
>>> auto=start
>>> authby=secret
>>>
>>> phase2alg=3DES-SHA1
>>> ike=3DES-SHA1
>>>
>>> dpddelay=30
>>> compress=no
>>> type=tunnel
>>> dpdtimeout=30
>>> dpdaction=restart
>>>
>>> salifetime=28800s
>>> ikelifetime=86400s
>>>
>>>
>>> Logs when tunnel fails :
>>>
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD: No
>>> response from peer - declaring peer dead
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD:
>>> Restarting Connection
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>> state (STATE_QUICK_R2)
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>> state (STATE_QUICK_I2)
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>> state (STATE_QUICK_R2)
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>> netlink response for Del SA esp.2df00509 at 2.2.2.2 included errno 3: No
>>> such process
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>> netlink response for Del SA esp.3af14046 at 1.1.1.1 included errno 3: No
>>> such process
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>> state (STATE_QUICK_I2)
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>> netlink response for Del SA esp.8ad7896 at 2.2.2.2 included errno 3: No
>>> such process
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>> netlink response for Del SA esp.3a5f570a at 1.1.1.1 included errno 3: No
>>> such process
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: initiating
>>> Main Mode to replace #10
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.3.10:17168 to 172.16.12.221:16824 proto=17 state: fos_start
>>> because: acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.3.89:10138 to 172.16.12.221:19624 proto=17 state: fos_start
>>> because: acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.3.1:11784 to 172.16.12.221:13598 proto=17 state: fos_start
>>> because: acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.3.233:10068 to 172.16.12.221:10166 proto=17 state: fos_start
>>> because: acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>> Vendor ID payload [FRAGMENTATION c0000000]
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>> STATE_MAIN_I2: sent MI2, expecting MR2
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>> Vendor ID payload [Cisco-Unity]
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>> Vendor ID payload [XAUTH]
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>> unknown Vendor ID payload [366b42f48b3b9dd8ac5c05fe5494759b]
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>> Vendor ID payload [Cisco VPN 3000 Series]
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>> STATE_MAIN_I3: sent MI3, expecting MR3
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>> Vendor ID payload [Dead Peer Detection]
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Main mode
>>> peer ID is ID_IPV4_ADDR: '2.2.2.2'
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>>> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #14: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:29e320e8 proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #15: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:0447f8ea proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #16: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:a01c9aed proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #17: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:532b0467 proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #18: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11
>>> {using isakmp#13 msgid:581cfb6d proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.3.27:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>> acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #19: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:c2b4c48c proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.0.1:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>> acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #20: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:5c42e8f9 proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>> 176.249.3.44:52787 to 172.16.12.221:80 proto=6 state: fos_start
>>> because: acquire
>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #21: initiating
>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>> isakmp#13 msgid:bf505abf proposal=3DES(3)_192-SHA1(2)_160
>>> pfsgroup=no-pfs}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #10: received
>>> Delete SA payload: deleting ISAKMP State #10
>>> Jul 5 19:39:12 router-TT pluto[60606]: packet from 2.2.2.2:500:
>>> received and ignored informational message
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x13552476 <0xbd4999bd xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x4497ed1c <0x1d1db8f2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x1ee0fa85 <0xd7656b45 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x29dd0baa <0xfccca15b xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x23a597eb <0x26804c4c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x6f2ac97f <0xa16f2f01 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x0a200766 <0x77bc128c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: Dead Peer
>>> Detection (RFC 3706): enabled
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: transition
>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21:
>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>> {ESP=>0x19bcc321 <0xb32bc1d8 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>> NATD=none DPD=enabled}
>>>
>>>
>>> Regards,
>>> Zohair Raza
>>> _______________________________________________
>>> Users at openswan.org
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>> Regards
>>
>> Dan.
>>
More information about the Users
mailing list