[Openswan Users] Openswan and Cisco 3030

Daniel Cave dan.cave at me.com
Tue Jul 17 06:52:51 EDT 2012


Zohair,

I just noticed Nick Howitt;s email from 13/July about Draytek and DPD.

I don't suppose by any chance either of your cisco config's are using dynamic IP addresses are they?

Or perhaps it could be a similar related issue? 

Regards
dan

On 13 Jul 2012, at 12:31, Zohair Raza wrote:

> I would appreciate if someone can suggest any way to fix it
> 
> Thanks
> 
> Regards,
> Zohair Raza
> 
> 
> 
> 
> On Mon, Jul 9, 2012 at 2:17 PM, Zohair Raza
> <engineerzuhairraza at gmail.com> wrote:
>> Hi Daniel,
>> 
>> Thanks for reply, yes dead peer detection is enabled on cisco
>> 
>> Failure is random, sometime it fails very often and sometimes it stays for long
>> 
>> This is what comes on cisco when tunnel fails
>> 
>> 
>> 44708 07/09/2012 10:41:01.410 SEV=5 IKE/0 RPT=19392
>> Could not find centry for IPSec SA delete message
>> 
>> 44709 07/09/2012 10:52:31.670 SEV=5 IKE/50 RPT=1482 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>> 
>> 44712 07/09/2012 10:52:55.980 SEV=5 IKE/50 RPT=1483 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 213.40.195.0
>> 
>> 44715 07/09/2012 10:52:55.990 SEV=5 IKE/50 RPT=1484 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 170.254.0.0
>> 
>> 44718 07/09/2012 10:52:55.990 SEV=4 AUTH/23 RPT=50284 1.1.1.1
>> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:25
>> 
>> 44719 07/09/2012 10:52:55.990 SEV=4 AUTH/85 RPT=50276
>> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:25
>> 
>> 44720 07/09/2012 10:52:56.010 SEV=5 IKE/50 RPT=1485 1.1.1.1
>> Group [1.1.1.1]
>> Connection terminated for peer 1.1.1.1.
>> Reason: Peer Terminate
>> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>> 
>> 44723 07/09/2012 10:52:56.020 SEV=5 IKE/0 RPT=19393
>> Could not find centry for IPSec SA delete message
>> 
>> 44724 07/09/2012 10:52:56.020 SEV=5 IKE/170 RPT=377 1.1.1.1
>> Group [1.1.1.1]
>> IKE Received delete for rekeyed centry
>> IKE peer: 176.249.0.0, centry addr: 06ac2fa8, msgid: 0xd4057aa0
>> 
>> 44727 07/09/2012 10:52:56.020 SEV=6 IKE/0 RPT=19394 1.1.1.1
>> Group [1.1.1.1]
>> Removing peer from peer table failed, no match!
>> 
>> 44728 07/09/2012 10:52:56.030 SEV=4 AUTH/23 RPT=50285 1.1.1.1
>> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:18
>> 
>> 44729 07/09/2012 10:52:56.030 SEV=4 AUTH/85 RPT=50277
>> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:18
>> 
>> 44730 07/09/2012 10:52:58.010 SEV=4 IKE/119 RPT=53479 1.1.1.1
>> 
>> 
>> Regards,
>> Zohair Raza
>> 
>> 
>> 
>> 
>> On Mon, Jul 9, 2012 at 1:16 PM, Daniel Cave <dan.cave at me.com> wrote:
>>> Zohair, Hi
>>> 
>>> Have  you checked that the Cisco 3030 has got dead peer detection feature enabled also
>>> 
>>> Im wondering what the logs are you see on the 3030 device also when the tunnel fails - can you get those?
>>> 
>>> Does this happen at the same time every day or randomly?
>>> 
>>> Regards
>>> 
>>> dan
>>> 
>>> Fahrenheit IT.
>>> 
>>> 
>>> On 9 Jul 2012, at 10:09, Zohair Raza wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I have recently setup a VPN between openswan and Cisco 3030, it
>>>> connects without any issues but after some time the tunnel fails. I am
>>>> new to openswan and can not find the root cause or solution of this
>>>> problem even though I googled alot.
>>>> 
>>>> Please can someone help me out, here is my config and logs
>>>> 
>>>> openswan ipsec.conf:
>>>> 
>>>> config setup
>>>>       # Debug-logging controls:  "none" for (almost) none, "all" for lots.
>>>>       # klipsdebug=none
>>>>       # plutodebug="control parsing"
>>>>       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>>>>       protostack=netkey
>>>> #       nat_traversal=yes
>>>>       virtual_private=%v4:176.249.0.0/16
>>>>       oe=off
>>>>       myid=1.1.1.1
>>>>       # Enable this if you see "failed to find any available worker"
>>>>       # nhelpers=0
>>>>       klipsdebug=none
>>>>       plutodebug=none
>>>>       keep_alive=50
>>>>       interfaces=%defaultroute
>>>> 
>>>> 
>>>> openswan tunnel config:
>>>> 
>>>> conn TT-UK-1
>>>> 
>>>>       left=2.2.2.2
>>>>       leftsubnets={172.16.0.0/16 17.254.0.0/16 210.40.5.0/24}
>>>> 
>>>>       right=1.1.1.1
>>>>       rightsubnet=176.249.0.0/16
>>>> 
>>>>       keyexchange=ike
>>>>       pfs=no
>>>>       rekey=yes
>>>> 
>>>>       auto=start
>>>>       authby=secret
>>>> 
>>>>       phase2alg=3DES-SHA1
>>>>       ike=3DES-SHA1
>>>> 
>>>>       dpddelay=30
>>>>       compress=no
>>>>       type=tunnel
>>>>       dpdtimeout=30
>>>>       dpdaction=restart
>>>> 
>>>>       salifetime=28800s
>>>>       ikelifetime=86400s
>>>> 
>>>> 
>>>> Logs when tunnel fails :
>>>> 
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD: No
>>>> response from peer - declaring peer dead
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD:
>>>> Restarting Connection
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>>> state (STATE_QUICK_R2)
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>>> state (STATE_QUICK_I2)
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>>> state (STATE_QUICK_R2)
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>>> netlink response for Del SA esp.2df00509 at 2.2.2.2 included errno 3: No
>>>> such process
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>>> netlink response for Del SA esp.3af14046 at 1.1.1.1 included errno 3: No
>>>> such process
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>>> state (STATE_QUICK_I2)
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>>> netlink response for Del SA esp.8ad7896 at 2.2.2.2 included errno 3: No
>>>> such process
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>>> netlink response for Del SA esp.3a5f570a at 1.1.1.1 included errno 3: No
>>>> such process
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: initiating
>>>> Main Mode to replace #10
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.10:17168 to 172.16.12.221:16824 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.89:10138 to 172.16.12.221:19624 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.1:11784 to 172.16.12.221:13598 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.233:10068 to 172.16.12.221:10166 proto=17 state: fos_start
>>>> because: acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>> Vendor ID payload [FRAGMENTATION c0000000]
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>> STATE_MAIN_I2: sent MI2, expecting MR2
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>> Vendor ID payload [Cisco-Unity]
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>> Vendor ID payload [XAUTH]
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>> unknown Vendor ID payload [366b42f48b3b9dd8ac5c05fe5494759b]
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>> Vendor ID payload [Cisco VPN 3000 Series]
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>> STATE_MAIN_I3: sent MI3, expecting MR3
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>> Vendor ID payload [Dead Peer Detection]
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Main mode
>>>> peer ID is ID_IPV4_ADDR: '2.2.2.2'
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>>>> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #14: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:29e320e8 proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #15: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:0447f8ea proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #16: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:a01c9aed proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #17: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:532b0467 proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #18: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11
>>>> {using isakmp#13 msgid:581cfb6d proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.27:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>>> acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #19: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:c2b4c48c proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.0.1:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>>> acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #20: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:5c42e8f9 proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>> 176.249.3.44:52787 to 172.16.12.221:80 proto=6 state: fos_start
>>>> because: acquire
>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #21: initiating
>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>> isakmp#13 msgid:bf505abf proposal=3DES(3)_192-SHA1(2)_160
>>>> pfsgroup=no-pfs}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #10: received
>>>> Delete SA payload: deleting ISAKMP State #10
>>>> Jul  5 19:39:12 router-TT pluto[60606]: packet from 2.2.2.2:500:
>>>> received and ignored informational message
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x13552476 <0xbd4999bd xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x4497ed1c <0x1d1db8f2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x1ee0fa85 <0xd7656b45 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x29dd0baa <0xfccca15b xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x23a597eb <0x26804c4c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x6f2ac97f <0xa16f2f01 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x0a200766 <0x77bc128c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: Dead Peer
>>>> Detection (RFC 3706): enabled
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: transition
>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21:
>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>> {ESP=>0x19bcc321 <0xb32bc1d8 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>> NATD=none DPD=enabled}
>>>> 
>>>> 
>>>> Regards,
>>>> Zohair Raza
>>>> _______________________________________________
>>>> Users at openswan.org
>>>> http://lists.openswan.org/mailman/listinfo/users
>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> 
>>> Regards
>>> 
>>> Dan.
>>> 

Regards

Dan.



More information about the Users mailing list