[Openswan Users] Understanding log messages

Roel van Meer roel.vanmeer at bokxing.nl
Fri May 11 01:58:08 EDT 2012

Jason Voorhees writes:

> I'm almost a newbie OpenSwan user. I configured a two-way connection
> between openswan 2.6.32 using CentOS 5.8 x86 running
> 2.6.18-308.4.1.el5 kernel. My configuration file is the following:
> config setup
>         protostack=netkey
>         nat_traversal=yes
>         nhelpers=0
> conn %default
>         ike=3des-sha1;modp1024
>         phase2=esp
>         phase2alg=3des-sha1;modp1024
>         ikelifetime=480m
>         pfs=yes
>         type=tunnel
>         authby=secret
>         auto=start
> conn bank-cars
>         right=W.X.Y.Z
>         rightsubnet=
>         left=A.B.C.D
>         leftid=
>         leftsubnet=
>         aggrmode=no
>         auto=start
> conn cars-bank
>         right=A.B.C.D
>         rightid=
>         rightsubnet=
>         left=W.X.Y.Z
>         leftsubnet=
>         aggrmode=no
>         auto=start

First: you need to specify a connection only once. The 'left' and 'right' 
parameters are interchangable, so your bank-cars and cars-bank definitions 
are effectively identical.

You can use the 'auto' parameter to define which side will initiate the 
connection. With auto=start openswan will initiate a connection, with 
auto=add openswan will set everything up and then wait for the other end to 
> [...]
> My /etc/ipsec.secrets looks like this:
> W.X.Y.Z : PSK "strongpassword"
> A.B.C.D W.X.Y.Z : PSK "strongpassword"
> W.X.Y.Z A.B.C.D : PSK "strongpassword"

Same here: the last two lines are identical.
> The Linux server running OpenSwan is "cars" and the other server is a
> Juniper NetScreen known as "bank". The connection is stablished, at
> least PING is working between subnets in both ways, but I'm  getting
> some messages in logs that I'm not sure what they mean, like this:
> Message 1
> ========
> May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #31: starting keying
> attempt 30 of an unlimited number
> May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #32: initiating Quick
> {using isakmp#1 msgid:b3bc2b0b proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=OAKLEY_GROUP_MODP1024}
> May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: max number of
> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
> our first Quick Mode message: perhaps peer likes no proposal

I don't have a 100% correct technical answer, but this message means that 
the remote end doesn't want to establish a tunnel with you. Of course, that 
might be the result of you already having a tunnel..

> Message 2
> ========
> May 10 16:21:38 vpnmml pluto[13698]: "cars-interbank" #4: ignoring
> informational payload, type IPSEC_RESPONDER_LIFETIME msgid=f45f1aaf
> May 10 16:21:38 vpnmml pluto[13698]: "cars-bank" #4: cannot install
> eroute -- it is in use for "bank-cars" #3
> What does "cannot install eroute" means?

This, I think, is caused by the duplicate tunnel definition you have. If the 
second tunnel is started, openswan tries to route the remote net through 
that tunnel, but it can't because it is already routed through the first 

> I started looking at this errors as a consequence of continuous (but
> randomly) disconnections reported by users. I don't know if I need to
> activate DPD, keepalive forced or something like that to deal with
> disconnections.
> I hope you can give me some ideas.

I'd start with removing one of the definitions; that should certainly help.

Good luck,


More information about the Users mailing list