[Openswan Users] Openswan and Cisco 3030
Daniel Cave
dan.cave at me.com
Tue Jul 17 06:52:51 EDT 2012
Zohair,
I just noticed Nick Howitt;s email from 13/July about Draytek and DPD.
I don't suppose by any chance either of your cisco config's are using dynamic IP addresses are they?
Or perhaps it could be a similar related issue?
Regards
dan
On 13 Jul 2012, at 12:31, Zohair Raza wrote:
> I would appreciate if someone can suggest any way to fix it
>
> Thanks
>
> Regards,
> Zohair Raza
>
>
>
>
> On Mon, Jul 9, 2012 at 2:17 PM, Zohair Raza
> <engineerzuhairraza at gmail.com> wrote:
>> Hi Daniel,
>>
>> Thanks for reply, yes dead peer detection is enabled on cisco
>>
>> Failure is random, sometime it fails very often and sometimes it stays for long
>>
>> This is what comes on cisco when tunnel fails
>>
>>
>> 44708 07/09/2012 10:41:01.410 SEV=5 IKE/0 RPT=19392
>> Could not find centry for IPSec SA delete message
>>
>> 44709 07/09/2012 10:52:31.670 SEV=5 IKE/50 RPT=1482 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>>
>> 44712 07/09/2012 10:52:55.980 SEV=5 IKE/50 RPT=1483 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 213.40.195.0
>>
>> 44715 07/09/2012 10:52:55.990 SEV=5 IKE/50 RPT=1484 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 170.254.0.0
>>
>> 44718 07/09/2012 10:52:55.990 SEV=4 AUTH/23 RPT=50284 1.1.1.1
>> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:25
>>
>> 44719 07/09/2012 10:52:55.990 SEV=4 AUTH/85 RPT=50276
>> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:25
>>
>> 44720 07/09/2012 10:52:56.010 SEV=5 IKE/50 RPT=1485 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>>
>> 44723 07/09/2012 10:52:56.020 SEV=5 IKE/0 RPT=19393
>> Could not find centry for IPSec SA delete message
>>
>> 44724 07/09/2012 10:52:56.020 SEV=5 IKE/170 RPT=377 1.1.1.1
>> Group [1.1.1.1]
>> IKE Received delete for rekeyed centry
>> IKE peer: 176.249.0.0, centry addr: 06ac2fa8, msgid: 0xd4057aa0
>>
>> 44727 07/09/2012 10:52:56.020 SEV=6 IKE/0 RPT=19394 1.1.1.1
>> Group [1.1.1.1]
>> Removing peer from peer table failed, no match!
>>
>> 44728 07/09/2012 10:52:56.030 SEV=4 AUTH/23 RPT=50285 1.1.1.1
>> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:18
>>
>> 44729 07/09/2012 10:52:56.030 SEV=4 AUTH/85 RPT=50277
>> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:18
>>
>> 44730 07/09/2012 10:52:58.010 SEV=4 IKE/119 RPT=53479 1.1.1.1
>>
>>
>> Regards,
>> Zohair Raza
>>
>>
>>
>>
>> On Mon, Jul 9, 2012 at 1:16 PM, Daniel Cave <dan.cave at me.com> wrote:
>>> Zohair, Hi
>>>
>>> Have you checked that the Cisco 3030 has got dead peer detection feature enabled also
>>>
>>> Im wondering what the logs are you see on the 3030 device also when the tunnel fails - can you get those?
>>>
>>> Does this happen at the same time every day or randomly?
>>>
>>> Regards
>>>
>>> dan
>>>
>>> Fahrenheit IT.
>>>
>>>
>>> On 9 Jul 2012, at 10:09, Zohair Raza wrote:
>>>
>>>> Hi,
>>>>
>>>> I have recently setup a VPN between openswan and Cisco 3030, it
>>>> connects without any issues but after some time the tunnel fails. I am
>>>> new to openswan and can not find the root cause or solution of this
>>>> problem even though I googled alot.
>>>>
>>>> Please can someone help me out, here is my config and logs
>>>>
>>>> openswan ipsec.conf:
>>>>
>>>> config setup
>>>> # Debug-logging controls: "none" for (almost) none, "all" for lots.
>>>> # klipsdebug=none
>>>> # plutodebug="control parsing"
>>>> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>>>> protostack=netkey
>>>> # nat_traversal=yes
>>>> virtual_private=%v4:176.249.0.0/16
>>>> oe=off
>>>> myid=1.1.1.1
>>>> # Enable this if you see "failed to find any available worker"
>>>> # nhelpers=0
>>>> klipsdebug=none
>>>> plutodebug=none
>>>> keep_alive=50
>>>> interfaces=%defaultroute
>>>>
>>>>
>>>> openswan tunnel config:
>>>>
>>>> conn TT-UK-1
>>>>
>>>> left=2.2.2.2
>>>> leftsubnets={172.16.0.0/16 17.254.0.0/16 210.40.5.0/24}
>>>>
>>>> right=1.1.1.1
>>>> rightsubnet=176.249.0.0/16
>>>>
>>>> keyexchange=ike
>>>> pfs=no
>>>> rekey=yes
>>>>
>>>> auto=start
>>>> authby=secret
>>>>
>>>> phase2alg=3DES-SHA1
>>>> ike=3DES-SHA1
>>>>
>>>> dpddelay=30
>>>> compress=no
>>>> type=tunnel
>>>> dpdtimeout=30
>>>> dpdaction=restart
>>>>
>>>> salifetime=28800s
>>>> ikelifetime=86400s
>>>>
>>>>
>>>> Logs when tunnel fails :
>>>>
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD: No
>>>> response from peer - declaring peer dead
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD:
>>>> Restarting Connection
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>>> state (STATE_QUICK_R2)
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>>> state (STATE_QUICK_I2)
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>>> state (STATE_QUICK_R2)
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>>> netlink response for Del SA esp.2df00509 at 2.2.2.2 included errno 3: No
>>>> such process
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>>> netlink response for Del SA esp.3af14046 at 1.1.1.1 included errno 3: No
>>>> such process
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>>> state (STATE_QUICK_I2)
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>>> netlink response for Del SA esp.8ad7896 at 2.2.2.2 included errno 3: No
>>>> such process
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>>> netlink response for Del SA esp.3a5f570a at 1.1.1.1 included errno 3: No
>>>> such process
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: initiating
>>>> Main Mode to replace #10
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.10:17168 to 172.16.12.221:16824 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.89:10138 to 172.16.12.221:19624 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.1:11784 to 172.16.12.221:13598 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.233:10068 to 172.16.12.221:10166 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>> Vendor ID payload [FRAGMENTATION c0000000]
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>> STATE_MAIN_I2: sent MI2, expecting MR2
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>> Vendor ID payload [Cisco-Unity]
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>> Vendor ID payload [XAUTH]
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>> unknown Vendor ID payload [366b42f48b3b9dd8ac5c05fe5494759b]
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>> Vendor ID payload [Cisco VPN 3000 Series]
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>> STATE_MAIN_I3: sent MI3, expecting MR3
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>> Vendor ID payload [Dead Peer Detection]
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Main mode
>>>> peer ID is ID_IPV4_ADDR: '2.2.2.2'
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>>>> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #14: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:29e320e8 proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #15: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:0447f8ea proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #16: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:a01c9aed proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #17: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:532b0467 proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #18: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11
>>>> {using isakmp#13 msgid:581cfb6d proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.27:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>>> acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #19: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:c2b4c48c proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.0.1:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>>> acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #20: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:5c42e8f9 proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.44:52787 to 172.16.12.221:80 proto=6 state: fos_start
>>>> because: acquire
>>>> Jul 5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #21: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:bf505abf proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #10: received
>>>> Delete SA payload: deleting ISAKMP State #10
>>>> Jul 5 19:39:12 router-TT pluto[60606]: packet from 2.2.2.2:500:
>>>> received and ignored informational message
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x13552476 <0xbd4999bd xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x4497ed1c <0x1d1db8f2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x1ee0fa85 <0xd7656b45 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x29dd0baa <0xfccca15b xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x23a597eb <0x26804c4c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x6f2ac97f <0xa16f2f01 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x0a200766 <0x77bc128c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul 5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x19bcc321 <0xb32bc1d8 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>>
>>>>
>>>> Regards,
>>>> Zohair Raza
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>> Regards
>>>
>>> Dan.
>>>
Regards
Dan.
More information about the Users
mailing list