[Openswan Users] Openswan to cisco / SA Expired
Vincent Tamet
vincent.tamet at ilimit.net
Wed Mar 14 12:17:15 EDT 2012
Hi,
I have a VPN between a Openswan (Linux Openswan U2.4.12/K2.6.26-1-686 (netkey)) and a Cisco 877 ((C870-ADVSECURITYK9-M), Version 12.4(24)T6).
I observe some SA Expired and then the tunnel go down, a ping from the cisco immediately up the vpn.
I try to put some very low timer to correct the configuration without success, I allready check and recheck DPD, liketime, rekey, and now don't know what I'm missing.
Could you help me to correct my configuration ?
Best regards
Vince / OSG[PCQ]
PD: Logs:
-------------------------------------------------------------------------------------------
000 "prova": ike_life: 60s; ipsec_life: 120s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5
000 "prova": dpd: action:hold; delay:10; timeout:30;
-------------------------------------------------------------------------------------------
Crypto Map "cm-cryptomap" 1 ipsec-isakmp
Peer = x.x.x.74
Extended IP access list 101
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.1.0.0 0.0.1.255
access-list 101 permit ip 192.1.0.0 0.0.1.255 192.168.2.0 0.0.0.255
access-list 101 deny ip any any
Security association lifetime: 4608000 kilobytes/120 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Transform sets={
tr-3des-md5: { esp-3des esp-md5-hmac } ,
}
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
Mar 14 16:49:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Mar 14 16:49:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 14 16:49:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Mar 14 16:49:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: responding to Main Mode from unknown peer y.y.y.136
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: received Vendor ID payload [Dead Peer Detection]
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: ignoring unknown Vendor ID payload [7d495062aab969f7bacaf00490f8caad]
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: received Vendor ID payload [XAUTH]
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: Main mode peer ID is ID_IPV4_ADDR: 'y.y.y.136'
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: I did not send a certificate because I do not have one.
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: Dead Peer Detection (RFC 3706): enabled
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #119: responding to Quick Mode {msgid:996e2468}
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #119: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #119: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #119: Dead Peer Detection (RFC 3706): enabled
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #119: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 14 16:49:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #119: STATE_QUICK_R2: IPsec SA established {ESP=>0x77623ad3 <0x23c92cf0 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #118: received Delete SA payload: deleting ISAKMP State #118
Mar 14 16:50:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received and ignored informational message
Mar 14 16:50:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Mar 14 16:50:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 14 16:50:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Mar 14 16:50:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: responding to Main Mode from unknown peer y.y.y.136
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: received Vendor ID payload [Dead Peer Detection]
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: ignoring unknown Vendor ID payload [7d49506226e222a475e6f58371e7b277]
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: received Vendor ID payload [XAUTH]
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: Main mode peer ID is ID_IPV4_ADDR: 'y.y.y.136'
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: I did not send a certificate because I do not have one.
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Mar 14 16:50:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: Dead Peer Detection (RFC 3706): enabled
Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: responding to Quick Mode {msgid:30577317}
Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: Dead Peer Detection (RFC 3706): enabled
Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 14 16:50:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: STATE_QUICK_R2: IPsec SA established {ESP=>0xa8593c8d <0xcf5f3206 xfrm=3DES_0-HMAC_MD5 NATD=none DPD=enabled}
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #120: ISAKMP SA expired (--dontrekey)
Mar 14 16:51:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: Informational Exchange is for an unknown (expired?) SA
Mar 14 16:51:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Mar 14 16:51:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 14 16:51:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Mar 14 16:51:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: responding to Main Mode from unknown peer y.y.y.136
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Vendor ID payload [Dead Peer Detection]
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: ignoring unknown Vendor ID payload [7d495062e12a5d0f482dc0faba4b4801]
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Vendor ID payload [XAUTH]
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: Main mode peer ID is ID_IPV4_ADDR: 'y.y.y.136'
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: I did not send a certificate because I do not have one.
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Mar 14 16:51:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: Dead Peer Detection (RFC 3706): enabled
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #122: received Delete SA payload: deleting ISAKMP State #122
Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received and ignored informational message
Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [RFC 3947] meth=109, but port floating is off
Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Mar 14 16:52:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: responding to Main Mode from unknown peer y.y.y.136
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: received Vendor ID payload [Dead Peer Detection]
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: ignoring unknown Vendor ID payload [7d495062777b83662d38f758f6b2e4a3]
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: received Vendor ID payload [XAUTH]
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: Main mode peer ID is ID_IPV4_ADDR: 'y.y.y.136'
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: I did not send a certificate because I do not have one.
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1024}
Mar 14 16:52:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: Dead Peer Detection (RFC 3706): enabled
Mar 14 16:52:45 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #121: IPsec SA expired (--dontrekey)
Mar 14 16:53:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136 #123: ISAKMP SA expired (--dontrekey)
Mar 14 16:53:16 mpat-sc pluto[11239]: "prova"[1] y.y.y.136: deleting connection "prova" instance with peer y.y.y.136 {isakmp=#0/ipsec=#0}
Mar 14 16:53:16 mpat-sc pluto[11239]: packet from y.y.y.136:500: Informational Exchange is for an unknown (expired?) SA
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
Configuration:
--------------
conn provailimit
type=tunnel
esp=3des-md5-96
keyexchange=ike
authby=secret
pfs=yes
auth=esp
rekey=no
#rekeymargin=0s
#rekeyfuzz=0%
ikelifetime=60s
keylife=120s
dpddelay=10
dpdtimeout=30
dpdaction=hold
#LOCAL
left=x.x.x.74
leftsubnet=192.1.1.0/23
leftnexthop=x.x.x.73
#REMOT
right=%any
rightsubnet=192.168.2.0/24
auto=start
-------------------------------------------------------------------------------------------
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 60
crypto isakmp key PASSWORD address x.x.x.74
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
crypto isakmp nat keepalive 5
!
crypto ipsec security-association lifetime seconds 120
!
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
!
crypto map cm-cryptomap 1 ipsec-isakmp
set peer x.x.x.74
set transform-set tr-3des-md5
set pfs group2
match address 101
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------
More information about the Users
mailing list