[Openswan Users] BUG 1201: dpd + ddns does not work

Nrupen Chudasma nrupen at gmail.com
Tue Mar 27 02:02:28 EDT 2012 

Hi,

I have been using openswan 2.6.24 with NETKEY for quite a long time.
I had a requirement for DYNDNS based remote host support for making the
connections. As there is support added, I tried with the 2.6.24 version and
could not succeed.

I searched out for bug#1201 with the exact reason. So I uprated to version
2.6.33. But the problem is still there. Even I tried latest version i.e.
2.6.38 but the result is same.

According to the RCA done for the bug, "conn->dnshostname" is NULL. The
specified solution was to work with ipsec whack.

I tried with that. Please correct me if my approach for the problem is
wrong. I have put remote as "ddnstest" and added entry in the /etc/hosts
file.
I add one connection with ipsec whack. Initiate the connection. Later I
change my remote host's IP and add the according entry in /etc/hosts.
The dpdtimeout happens as the former IP no longer available and thus I get
the DPD in which case my action restart triggers the initiation of the
connection.
Still my connection is initiated to the same IP as before.

Point me if I am doing something wrong.
Find the details of the steps I have done so far and the logs as below.

root at ng:~# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth2.2/eth2.2 10.103.7.133
000 interface eth2.2/eth2.2 10.103.7.133
000 interface br-lan/br-lan 10.1.2.1
000 interface br-lan/br-lan 10.1.2.1
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,216} attrs={0,2,288}
000
000
000
root at ng:~#
root at ng:~#
root at ng:~#
root at ng:~#
root at ng:~#
root at ng:~#
root at ng:~#
root at ng:~# cat /etc/ipsec.conf
version 2.0      # conforms to second version of ipsec.conf specification

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey


conn ngpassthrough
        left=10.1.2.1
        right=0.0.0.0
        leftsubnet=10.1.2.0/255.255.255.0
        rightsubnet=10.1.2.0/255.255.255.0
        authby=never
        type=passthrough
        auto=route

conn ng
        right=ddnstest
        rightsubnet=10.1.1.0/24
        left=10.103.7.133
        leftsubnet=10.1.2.0/255.255.255.0
        leftnexthop=10.103.6.1
        auto=start
        #x_rightdynamic=yes
        authby=secret
        compress=no
        failureshunt=drop
        dpddelay=15
        dpdtimeout=60
        dpdaction=restart
        pfs=yes

ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048

esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1

root at ng:~# cat /etc/ipsec.secrets
10.103.7.133 ddnstest : PSK "adminadmin"
root at ng:~#
root at ng:~#
root at ng:~# ipsec whack --name test --encrypt --tunnel --pfs --dpddelay 15
--dpdtimeout 60 --dpdaction restart --psk --host 10.
103.7.133 --nexthop 10.103.6.1 --client 10.1.2.0/24 --to --host ddnstest
--client 10.1.1.0/24
002 added connection description "test"
root at ng:~#
root at ng:~# ipsec whack --initiate --name test
002 "test" #11: initiating Main Mode
104 "test" #11: STATE_MAIN_I1: initiate
003 "test" #11: ignoring unknown Vendor ID payload
[4f45557d6068416e77737478]
003 "test" #11: received Vendor ID payload [Dead Peer Detection]
003 "test" #11: received Vendor ID payload [RFC 3947] method set to=109
002 "test" #11: enabling possible NAT-traversal with method 4
002 "test" #11: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "test" #11: STATE_MAIN_I2: sent MI2, expecting MR2
003 "test" #11: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no
NAT detected
002 "test" #11: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "test" #11: STATE_MAIN_I3: sent MI3, expecting MR3
003 "test" #11: received Vendor ID payload [CAN-IKEv2]
002 "test" #11: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.70'
002 "test" #11: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "test" #11: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
002 "test" #11: Dead Peer Detection (RFC 3706): enabled
002 "test" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using
isakmp#11 msgid:faa36d7a proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
117 "test" #12: STATE_QUICK_I1: initiate
002 "test" #12: Dead Peer Detection (RFC 3706): enabled
002 "test" #12: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "test" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x81cd918c <0xf4534088 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=enabled}
root at ng:~#
root at ng:~#
root at ng:~# vi /etc/hosts

127.0.0.1 localhost.
10.103.6.71 ddnstest





LOGS from /var/log/messages...
Dec  4 17:35:31 ng authpriv.warn pluto[11096]: added connection description
"test"

Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: initiating Main
Mode
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: ignoring unknown
Vendor ID payload [4f45557d6068416e77737478]
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor
ID payload [Dead Peer Detection]
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: received Vendor
ID payload [RFC 3947] method set to=109
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: enabling
possible NAT-traversal with method 4
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec  4 17:35:42 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I2:
sent MI2, expecting MR2
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: NAT-Traversal:
Result using RFC 3947 (NAT-Traversal): no NAT detected
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I3:
sent MI3, expecting MR3
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: received Vendor
ID payload [CAN-IKEv2]
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Main mode peer
ID is ID_IPV4_ADDR: '10.103.6.70'
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #11: Dead Peer
Detection (RFC 3706): enabled
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#11 msgid:faa36d7a
proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: Dead Peer
Detection (RFC 3706): enabled
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: transition from
state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec  4 17:35:43 ng authpriv.warn pluto[11096]: "test" #12: STATE_QUICK_I2:
sent QI2, IPsec SA established tunnel mode {ESP=>0x81cd918c <0xf4534088
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}


Dec  4 17:36:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]

Dec  4 17:36:31 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.6.71: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:36:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:37:01 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: No response
from peer - declaring peer dead
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #11: DPD: Restarting
Connection
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state
(STATE_QUICK_I2)
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: rekeying state
(STATE_QUICK_I2)
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink
response for Del SA esp.81cd918c at 10.103.6.70 included errno 3: No such
process
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #12: ERROR: netlink
response for Del SA esp.f4534088 at 10.103.7.133 included errno 3: No such
process
Dec  4 17:37:13 ng authpriv.warn pluto[11096]: "test" #13: initiating Main
Mode to replace #11
Dec  4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:37:16 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:37:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:37:46 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:38:26 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
Dec  4 17:39:06 ng authpriv.warn pluto[11096]: ERROR: asynchronous network
error report on eth2.2 (sport=500) for message to 10.103.6.70 port 500,
complainant 10.103.7.133: No route to host [errno 148, origin ICMP type 3
code 1 (not authenticated)]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120327/705879cb/attachment-0001.html>

More information about the Users mailing list