[Openswan Users] Openswan and Cisco 3030

Nick Howitt n1ck.h0w1tt at gmail.com
Tue Jul 17 07:37:08 EDT 2012


I use a DrayTek rather than a Cisco, but yes it is on a (slightly)  
dynamic IP address. (The address rarely changes unless a device with a  
different MAC is plugged into the cable modem.)
I think the problem I was describing is different. In my case I lost  
my internet connection then DPD tried reloading the conn which had an  
FQDN in it. As the FQDN could not resolve ipsec terminated. In your  
case ipsec has not terminated as you can see logging from ipsec/pluto.

Regards,

Nick

Quoting "Daniel Cave" <dan.cave at me.com>:

> Zohair,
>
> I just noticed Nick Howitt;s email from 13/July about Draytek and DPD.
>
> I don't suppose by any chance either of your cisco config's are  
> using dynamic IP addresses are they?
>
> Or perhaps it could be a similar related issue?
>
> Regards
> dan
>
> On 13 Jul 2012, at 12:31, Zohair Raza wrote:
>
>> I would appreciate if someone can suggest any way to fix it
>>
>> Thanks
>>
>> Regards,
>> Zohair Raza
>>
>>
>>
>>
>> On Mon, Jul 9, 2012 at 2:17 PM, Zohair Raza
>> <engineerzuhairraza at gmail.com> wrote:
>>> Hi Daniel,
>>>
>>> Thanks for reply, yes dead peer detection is enabled on cisco
>>>
>>> Failure is random, sometime it fails very often and sometimes it  
>>> stays for long
>>>
>>> This is what comes on cisco when tunnel fails
>>>
>>>
>>> 44708 07/09/2012 10:41:01.410 SEV=5 IKE/0 RPT=19392
>>> Could not find centry for IPSec SA delete message
>>>
>>> 44709 07/09/2012 10:52:31.670 SEV=5 IKE/50 RPT=1482 1.1.1.1
>>> Group [1.1.1.1]
>>> Connection terminated for peer 1.1.1.1.
>>> Reason: Peer Terminate
>>> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>>>
>>> 44712 07/09/2012 10:52:55.980 SEV=5 IKE/50 RPT=1483 1.1.1.1
>>> Group [1.1.1.1]
>>> Connection terminated for peer 1.1.1.1.
>>> Reason: Peer Terminate
>>> Remote Proxy 176.249.0.0, Local Proxy 213.40.195.0
>>>
>>> 44715 07/09/2012 10:52:55.990 SEV=5 IKE/50 RPT=1484 1.1.1.1
>>> Group [1.1.1.1]
>>> Connection terminated for peer 1.1.1.1.
>>> Reason: Peer Terminate
>>> Remote Proxy 176.249.0.0, Local Proxy 170.254.0.0
>>>
>>> 44718 07/09/2012 10:52:55.990 SEV=4 AUTH/23 RPT=50284 1.1.1.1
>>> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:25
>>>
>>> 44719 07/09/2012 10:52:55.990 SEV=4 AUTH/85 RPT=50276
>>> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:25
>>>
>>> 44720 07/09/2012 10:52:56.010 SEV=5 IKE/50 RPT=1485 1.1.1.1
>>> Group [1.1.1.1]
>>> Connection terminated for peer 1.1.1.1.
>>> Reason: Peer Terminate
>>> Remote Proxy 176.249.0.0, Local Proxy 172.16.0.0
>>>
>>> 44723 07/09/2012 10:52:56.020 SEV=5 IKE/0 RPT=19393
>>> Could not find centry for IPSec SA delete message
>>>
>>> 44724 07/09/2012 10:52:56.020 SEV=5 IKE/170 RPT=377 1.1.1.1
>>> Group [1.1.1.1]
>>> IKE Received delete for rekeyed centry
>>> IKE peer: 176.249.0.0, centry addr: 06ac2fa8, msgid: 0xd4057aa0
>>>
>>> 44727 07/09/2012 10:52:56.020 SEV=6 IKE/0 RPT=19394 1.1.1.1
>>> Group [1.1.1.1]
>>> Removing peer from peer table failed, no match!
>>>
>>> 44728 07/09/2012 10:52:56.030 SEV=4 AUTH/23 RPT=50285 1.1.1.1
>>> User [1.1.1.1] Group [1.1.1.1] disconnected: duration: 0:17:18
>>>
>>> 44729 07/09/2012 10:52:56.030 SEV=4 AUTH/85 RPT=50277
>>> LAN-to-LAN tunnel to headend device 1.1.1.1 disconnected: duration: 0:17:18
>>>
>>> 44730 07/09/2012 10:52:58.010 SEV=4 IKE/119 RPT=53479 1.1.1.1
>>>
>>>
>>> Regards,
>>> Zohair Raza
>>>
>>>
>>>
>>>
>>> On Mon, Jul 9, 2012 at 1:16 PM, Daniel Cave <dan.cave at me.com> wrote:
>>>> Zohair, Hi
>>>>
>>>> Have  you checked that the Cisco 3030 has got dead peer detection  
>>>> feature enabled also
>>>>
>>>> Im wondering what the logs are you see on the 3030 device also  
>>>> when the tunnel fails - can you get those?
>>>>
>>>> Does this happen at the same time every day or randomly?
>>>>
>>>> Regards
>>>>
>>>> dan
>>>>
>>>> Fahrenheit IT.
>>>>
>>>>
>>>> On 9 Jul 2012, at 10:09, Zohair Raza wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have recently setup a VPN between openswan and Cisco 3030, it
>>>>> connects without any issues but after some time the tunnel fails. I am
>>>>> new to openswan and can not find the root cause or solution of this
>>>>> problem even though I googled alot.
>>>>>
>>>>> Please can someone help me out, here is my config and logs
>>>>>
>>>>> openswan ipsec.conf:
>>>>>
>>>>> config setup
>>>>>       # Debug-logging controls:  "none" for (almost) none, "all"  
>>>>> for lots.
>>>>>       # klipsdebug=none
>>>>>       # plutodebug="control parsing"
>>>>>       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
>>>>>       protostack=netkey
>>>>> #       nat_traversal=yes
>>>>>       virtual_private=%v4:176.249.0.0/16
>>>>>       oe=off
>>>>>       myid=1.1.1.1
>>>>>       # Enable this if you see "failed to find any available worker"
>>>>>       # nhelpers=0
>>>>>       klipsdebug=none
>>>>>       plutodebug=none
>>>>>       keep_alive=50
>>>>>       interfaces=%defaultroute
>>>>>
>>>>>
>>>>> openswan tunnel config:
>>>>>
>>>>> conn TT-UK-1
>>>>>
>>>>>       left=2.2.2.2
>>>>>       leftsubnets={172.16.0.0/16 17.254.0.0/16 210.40.5.0/24}
>>>>>
>>>>>       right=1.1.1.1
>>>>>       rightsubnet=176.249.0.0/16
>>>>>
>>>>>       keyexchange=ike
>>>>>       pfs=no
>>>>>       rekey=yes
>>>>>
>>>>>       auto=start
>>>>>       authby=secret
>>>>>
>>>>>       phase2alg=3DES-SHA1
>>>>>       ike=3DES-SHA1
>>>>>
>>>>>       dpddelay=30
>>>>>       compress=no
>>>>>       type=tunnel
>>>>>       dpdtimeout=30
>>>>>       dpdaction=restart
>>>>>
>>>>>       salifetime=28800s
>>>>>       ikelifetime=86400s
>>>>>
>>>>>
>>>>> Logs when tunnel fails :
>>>>>
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD: No
>>>>> response from peer - declaring peer dead
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #10: DPD:
>>>>> Restarting Connection
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>>>> state (STATE_QUICK_R2)
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>>>> state (STATE_QUICK_I2)
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: rekeying
>>>>> state (STATE_QUICK_R2)
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>>>> netlink response for Del SA esp.2df00509 at 2.2.2.2 included errno 3: No
>>>>> such process
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #11: ERROR:
>>>>> netlink response for Del SA esp.3af14046 at 1.1.1.1 included errno 3: No
>>>>> such process
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: rekeying
>>>>> state (STATE_QUICK_I2)
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>>>> netlink response for Del SA esp.8ad7896 at 2.2.2.2 included errno 3: No
>>>>> such process
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #7: ERROR:
>>>>> netlink response for Del SA esp.3a5f570a at 1.1.1.1 included errno 3: No
>>>>> such process
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: initiating
>>>>> Main Mode to replace #10
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.3.10:17168 to 172.16.12.221:16824 proto=17 state: fos_start
>>>>> because: acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.3.89:10138 to 172.16.12.221:19624 proto=17 state: fos_start
>>>>> because: acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.3.1:11784 to 172.16.12.221:13598 proto=17 state: fos_start
>>>>> because: acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.3.233:10068 to 172.16.12.221:10166 proto=17 state: fos_start
>>>>> because: acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>>> Vendor ID payload [FRAGMENTATION c0000000]
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>>> from state STATE_MAIN_I1 to state STATE_MAIN_I2
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>>> STATE_MAIN_I2: sent MI2, expecting MR2
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>>> Vendor ID payload [Cisco-Unity]
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>>> Vendor ID payload [XAUTH]
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>>> unknown Vendor ID payload [366b42f48b3b9dd8ac5c05fe5494759b]
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: ignoring
>>>>> Vendor ID payload [Cisco VPN 3000 Series]
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>>> from state STATE_MAIN_I2 to state STATE_MAIN_I3
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>>> STATE_MAIN_I3: sent MI3, expecting MR3
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: received
>>>>> Vendor ID payload [Dead Peer Detection]
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Main mode
>>>>> peer ID is ID_IPV4_ADDR: '2.2.2.2'
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: transition
>>>>> from state STATE_MAIN_I3 to state STATE_MAIN_I4
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13:
>>>>> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
>>>>> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #13: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #14: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:29e320e8 proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #15: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:0447f8ea proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #16: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:a01c9aed proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #17: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:532b0467 proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #18: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11
>>>>> {using isakmp#13 msgid:581cfb6d proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.3.27:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>>>> acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #19: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:c2b4c48c proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.0.1:8 to 172.16.12.221:0 proto=1 state: fos_start because:
>>>>> acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #20: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:5c42e8f9 proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: initiate on demand from
>>>>> 176.249.3.44:52787 to 172.16.12.221:80 proto=6 state: fos_start
>>>>> because: acquire
>>>>> Jul  5 19:39:11 router-TT pluto[60606]: "TT-UK-1/1x0" #21: initiating
>>>>> Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using
>>>>> isakmp#13 msgid:bf505abf proposal=3DES(3)_192-SHA1(2)_160
>>>>> pfsgroup=no-pfs}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #10: received
>>>>> Delete SA payload: deleting ISAKMP State #10
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: packet from 2.2.2.2:500:
>>>>> received and ignored informational message
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #16:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x13552476 <0xbd4999bd xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #14:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x4497ed1c <0x1d1db8f2 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #15:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x1ee0fa85 <0xd7656b45 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #17:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x29dd0baa <0xfccca15b xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #18:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x23a597eb <0x26804c4c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #19:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x6f2ac97f <0xa16f2f01 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #20:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x0a200766 <0x77bc128c xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: Dead Peer
>>>>> Detection (RFC 3706): enabled
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21: transition
>>>>> from state STATE_QUICK_I1 to state STATE_QUICK_I2
>>>>> Jul  5 19:39:12 router-TT pluto[60606]: "TT-UK-1/1x0" #21:
>>>>> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>>>>> {ESP=>0x19bcc321 <0xb32bc1d8 xfrm=3DES_0-HMAC_SHA1 NATOA=none
>>>>> NATD=none DPD=enabled}
>>>>>
>>>>>
>>>>> Regards,
>>>>> Zohair Raza
>>>>> _______________________________________________
>>>>> Users at openswan.org
>>>>> http://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>>
>>>> Regards
>>>>
>>>> Dan.
>>>>
>
> Regards
>
> Dan.
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



More information about the Users mailing list