[Openswan Users] Error:Informational Exchange is for an unknown (expired?) SA

SaRaVanAn saravanan.nagarajan87 at gmail.com
Fri Mar 30 09:04:11 EDT 2012 

Hi,
  It seems , dynamic update of the  other ends IP address in NAT traversal
is not supported in OpenSwan.
According to rfc4306, it should be supported as part of NAT traversal.
Please find the topology and issue I m facing out of this.


Cisco
VPN client -------------- Router1 ------------------------------------- VPN
Sever(OpenSwan)

20.1.1.1           20.1.1.2        50.1.1.226                    50.1.1.227
                                            (eth1)
Iptables
++++++
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE.

I have established a VPN connection between VPN client and VPN server with
the natted IP 50.1.1.226 to 50.1.1.227.
After some time , eth1 interface IP address  have got changed as 50.1.1.228
in eth1 of router 1, and tunnel gets disturbed by throwing the following
error.


Mar 30 14:52:54 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797 #17:
nat_traversal_new_mapping: address change currently not supported [
50.1.1.226:1797,50.1.1.228:1797]
Mar 30 14:52:56 uxcasxxx pluto[26817]: "cisco-vpn"[10] 50.1.1.226:1797 #17:
nat_traversal_new_mapping: address change currently not supported [
50.1.1.226:1797,50.1.1.228:1797]
Mar 30 14:52:59 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
report on eth0 for message to 50.1.1.226 port 1797, complainant 50.1.1.227:
No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 30 14:53:00 uxcasxxx pluto[26817]: ERROR: asynchronous network error
report on eth0 for message to 50.1.1.226 port 1797, complainant 50.1.1.227:
No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Mar 30 14:53:04 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:09 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:14 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA
Mar 30 14:53:19 uxcasxxx pluto[26817]: packet from 50.1.1.228:1797:
Informational Exchange is for an unknown (expired?) SA

Do Openswan have planned to implement dynamic IP address update feature in
NAT-T ??


Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120330/0110fb80/attachment-0001.html>

More information about the Users mailing list