[Openswan Users] Understanding log messages

Thu May 10 18:00:46 EDT 2012

Hi people:

I'm almost a newbie OpenSwan user. I configured a two-way connection
between openswan 2.6.32 using CentOS 5.8 x86 running
2.6.18-308.4.1.el5 kernel. My configuration file is the following:

config setup
        protostack=netkey
        nat_traversal=yes
        nhelpers=0

conn %default
        ike=3des-sha1;modp1024
        phase2=esp
        phase2alg=3des-sha1;modp1024
        ikelifetime=480m
        pfs=yes
        type=tunnel
        authby=secret
        auto=start

conn bank-cars
        right=W.X.Y.Z
        rightsubnet=10.108.3.0/24
        left=A.B.C.D
        leftid=172.31.64.41
        leftsubnet=130.30.0.0/16
        aggrmode=no
        auto=start

conn cars-bank
        right=A.B.C.D
        rightid=172.31.64.41
        rightsubnet=130.30.0.0/16
        left=W.X.Y.Z
        leftsubnet=10.108.3.0/24
        aggrmode=no
        auto=start

include /etc/ipsec.d/no_oe.conf

My /etc/ipsec.secrets looks like this:

A.B.C.D W.X.Y.Z : PSK "strongpassword"
172.31.64.41 W.X.Y.Z : PSK "strongpassword"
W.X.Y.Z A.B.C.D : PSK "strongpassword"

The Linux server running OpenSwan is "cars" and the other server is a
Juniper NetScreen known as "bank". The connection is stablished, at
least PING is working between subnets in both ways, but I'm  getting
some messages in logs that I'm not sure what they mean, like this:

Message 1
========
May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #31: starting keying
attempt 30 of an unlimited number
May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #32: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #31
{using isakmp#1 msgid:b3bc2b0b proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}
May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: max number of
retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: starting keying
attempt 31 of an unlimited number
May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #33: initiating Quick
Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #32
{using isakmp#1 msgid:138baa4c proposal=3DES(3)_192-SHA1(2)_160
pfsgroup=OAKLEY_GROUP_MODP1024}

Message 2
========
May 10 16:21:38 vpnmml pluto[13698]: "cars-interbank" #4: ignoring
informational payload, type IPSEC_RESPONDER_LIFETIME msgid=f45f1aaf
May 10 16:21:38 vpnmml pluto[13698]: "cars-bank" #4: cannot install
eroute -- it is in use for "bank-cars" #3

What does "cannot install eroute" means?

I started looking at this errors as a consequence of continuous (but
randomly) disconnections reported by users. I don't know if I need to
activate DPD, keepalive forced or something like that to deal with
disconnections.

I hope you can give me some ideas.

thanks a lot