[Openswan Users] Multiple IPSec SAs

Chris Stanaway jcstanaway at sbcglobal.net
Wed Jun 27 19:52:06 EDT 2012


I've got Openswan 2.6.32 installed talking to a Juniper firewall.  Upon a OS boot, the IPSec tunnel is successfully established.  However, if the firewall is restarted, the IKE SA is re-established (auto=restart), but multiple IPSec SAs are also established and it appears that Openswan and the firewall have gotten confused as to which IPSec SA to use as no data is sent/received.


While the firewall was down, data was attempted to be sent towards the firewall, but failed as expected.  However, each packet triggered an "initiate on demand".  There were 13 such packets.  After the firewall was restarted and the IKE SA established, Pluto went through 14 Quick Mode setups (13 for the queued packets and 1 just because).  As noted, with these 14 IPSec SAs established, no data was sent/received with the firewall.


Eventually, IPSec was manually restarted and everything returned to normal.

Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #38: DPD: No response from peer - declaring peer dead
Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #38: DPD: Restarting Connection
Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #35: rekeying state (STATE_QUICK_I2)
Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #35: rekeying state (STATE_QUICK_I2)
Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #35: ERROR: netlink response for Del SA esp.f338e426 at 10.1.234.10 included errno 3: No such process
Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #35: ERROR: netlink response for Del SA esp.8d5de25f at 10.1.234.1 included errno 3: No such process
Jun 27 10:04:08 z001isgw01 pluto[3075]: "mybox-firewall" #39: initiating Main Mode to replace #38
Jun 27 10:04:08 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:0 to 10.1.234.10:0 proto=255 state: fos_start because: acquire
Jun 27 10:04:08 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.234.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:04:08 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 70.7.234.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:04:09 z001isgw01 pluto[3075]: "mybox-firewall" #39: ERROR: asynchronous network error report on eth3 (sport=500) for message to 10.1.234.10 port 500, complainant 10.1.234.1: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Jun 27 10:04:11 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.238.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:04:21 z001isgw01 pluto[3075]: "mybox-firewall" #39: ERROR: asynchronous network error report on eth3 (sport=500) for message to 10.1.234.10 port 500, complainant 10.1.234.1: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Jun 27 10:04:40 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:0 to 10.1.234.10:0 proto=255 state: fos_start because: acquire
Jun 27 10:04:41 z001isgw01 pluto[3075]: "mybox-firewall" #39: ERROR: asynchronous network error report on eth3 (sport=500) for message to 10.1.234.10 port 500, complainant 10.1.234.1: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Jun 27 10:04:42 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.234.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:04:53 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.238.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:05:12 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:0 to 10.1.234.10:0 proto=255 state: fos_start because: acquire
Jun 27 10:05:16 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.234.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:05:20 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 70.7.234.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:05:21 z001isgw01 pluto[3075]: "mybox-firewall" #39: ERROR: asynchronous network error report on eth3 (sport=500) for message to 10.1.234.10 port 500, complainant 10.1.234.1: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Jun 27 10:05:35 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.238.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:05:44 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:0 to 10.1.234.10:0 proto=255 state: fos_start because: acquire
Jun 27 10:05:50 z001isgw01 pluto[3075]: initiate on demand from 192.168.0.2:5060 to 90.9.234.2:5060 proto=17 state: fos_start because: acquire
Jun 27 10:05:53 z001isgw01 pluto[3075]: packet from 10.1.234.10:500: ignoring unknown Vendor ID payload [a601e645e2e8e15239409664fdeb5a9000cf9cad0000000e0000061e]
Jun 27 10:05:53 z001isgw01 pluto[3075]: packet from 10.1.234.10:500: received Vendor ID payload [Dead Peer Detection]
Jun 27 10:05:53 z001isgw01 pluto[3075]: packet from 10.1.234.10:500: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: responding to Main Mode
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: STATE_MAIN_R1: sent MR1, expecting MI2
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: STATE_MAIN_R2: sent MR2, expecting MI3
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: Main mode peer ID is ID_IPV4_ADDR: '10.1.234.10'
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Jun 27 10:05:53 z001isgw01 pluto[3075]: "mybox-firewall" #40: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: ignoring unknown Vendor ID payload [a601e645e2e8e15239409664fdeb5a9000cf9cad0000000e0000061e]
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received Vendor ID payload [Dead Peer Detection]
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: Main mode peer ID is ID_IPV4_ADDR: '10.1.234.10'
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #41: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:d9467a3e proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #42: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:deea9a90 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #43: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:56c51871 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #44: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:afb54c39 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #45: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:ad136b40 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #46: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:04d37942 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #47: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:a6e7e850 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #48: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:9b11eb80 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #49: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:40a712ec proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #50: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:739db093 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #51: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:61972bf6 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #52: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:52855dd8 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #53: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#39 msgid:ab42013b proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #54: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #35 {using isakmp#39 msgid:e14d5996 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #41: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #41: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #41: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b470 <0x916fe43d xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #42: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #42: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #42: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b471 <0x5ceeacab xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #43: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #43: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #43: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b472 <0xed8286bf xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #44: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #44: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #44: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b473 <0x87daa4b0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #45: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #45: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #45: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b474 <0x3c85c37f xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #46: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #46: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #46: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b475 <0x7211f885 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #47: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #47: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #47: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b476 <0x8bb24577 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #48: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #48: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #48: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b477 <0x99b67f0a xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #49: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #49: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #49: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b478 <0xa8d56f44 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #50: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #50: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #50: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b479 <0x6927c1b0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #51: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #51: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #51: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b47a <0xd3e1e3d5 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #52: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #52: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #52: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b47b <0x29f9a313 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #53: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #53: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #53: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b47c <0x2e912976 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #54: Dead Peer Detection (RFC 3706): enabled
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #54: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #54: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x4b66b47d <0x6331e083 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 1 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 2 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 3 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 4 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 5 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 6 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 7 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 8 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 9 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 10 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 11 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 12 malformed payload notifies
Jun 27 10:05:58 z001isgw01 pluto[3075]: "mybox-firewall" #39: received 13 malformed payload notifies

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        klipsdebug=none
        plutodebug=none
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=yes
        virtual_private=
        oe=no
        # Enable this if you see "failed to find any available worker"
        nhelpers=0
        hidetos=no
        interfaces=%none

conn mybox-firewall
     auth=esp
     authby=secret
     auto=start
     compress=no
     dpdaction=restart
     dpddelay=7
     dpdtimeout=30
     ike=aes256-sha1;modp2048
     keyexchange=ike
     keyingtries=%forever
     left=10.5.234.2
     leftsubnet=192.168.0.6/32
     pfs=no
     phase2alg=aes256-sha1
     right=10.5.234.10
     rightsubnet=0.0.0.0/0
     type=tunnel


While the tunnel/firewall is down, I don't care about queuing any data.  Any suggestions?


Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120627/eb079e15/attachment-0001.html>


More information about the Users mailing list