[Openswan Users] Understanding log messages
Roel van Meer
roel.vanmeer at bokxing.nl
Fri May 11 01:58:08 EDT 2012
Jason Voorhees writes:
> I'm almost a newbie OpenSwan user. I configured a two-way connection
> between openswan 2.6.32 using CentOS 5.8 x86 running
> 2.6.18-308.4.1.el5 kernel. My configuration file is the following:
>
> config setup
> protostack=netkey
> nat_traversal=yes
> nhelpers=0
>
> conn %default
> ike=3des-sha1;modp1024
> phase2=esp
> phase2alg=3des-sha1;modp1024
> ikelifetime=480m
> pfs=yes
> type=tunnel
> authby=secret
> auto=start
>
> conn bank-cars
> right=W.X.Y.Z
> rightsubnet=10.108.3.0/24
> left=A.B.C.D
> leftid=172.31.64.41
> leftsubnet=130.30.0.0/16
> aggrmode=no
> auto=start
>
> conn cars-bank
> right=A.B.C.D
> rightid=172.31.64.41
> rightsubnet=130.30.0.0/16
> left=W.X.Y.Z
> leftsubnet=10.108.3.0/24
> aggrmode=no
> auto=start
First: you need to specify a connection only once. The 'left' and 'right'
parameters are interchangable, so your bank-cars and cars-bank definitions
are effectively identical.
You can use the 'auto' parameter to define which side will initiate the
connection. With auto=start openswan will initiate a connection, with
auto=add openswan will set everything up and then wait for the other end to
initiate.
> [...]
> My /etc/ipsec.secrets looks like this:
>
> 172.31.64.41 W.X.Y.Z : PSK "strongpassword"
> A.B.C.D W.X.Y.Z : PSK "strongpassword"
> W.X.Y.Z A.B.C.D : PSK "strongpassword"
Same here: the last two lines are identical.
> The Linux server running OpenSwan is "cars" and the other server is a
> Juniper NetScreen known as "bank". The connection is stablished, at
> least PING is working between subnets in both ways, but I'm getting
> some messages in logs that I'm not sure what they mean, like this:
>
> Message 1
> ========
> May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #31: starting keying
> attempt 30 of an unlimited number
> May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #32: initiating Quick
> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #31
> {using isakmp#1 msgid:b3bc2b0b proposal=3DES(3)_192-SHA1(2)_160
> pfsgroup=OAKLEY_GROUP_MODP1024}
> May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: max number of
> retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
> our first Quick Mode message: perhaps peer likes no proposal
I don't have a 100% correct technical answer, but this message means that
the remote end doesn't want to establish a tunnel with you. Of course, that
might be the result of you already having a tunnel..
> Message 2
> ========
> May 10 16:21:38 vpnmml pluto[13698]: "cars-interbank" #4: ignoring
> informational payload, type IPSEC_RESPONDER_LIFETIME msgid=f45f1aaf
> May 10 16:21:38 vpnmml pluto[13698]: "cars-bank" #4: cannot install
> eroute -- it is in use for "bank-cars" #3
>
> What does "cannot install eroute" means?
This, I think, is caused by the duplicate tunnel definition you have. If the
second tunnel is started, openswan tries to route the remote net through
that tunnel, but it can't because it is already routed through the first
tunnel.
> I started looking at this errors as a consequence of continuous (but
> randomly) disconnections reported by users. I don't know if I need to
> activate DPD, keepalive forced or something like that to deal with
> disconnections.
>
> I hope you can give me some ideas.
I'd start with removing one of the definitions; that should certainly help.
Good luck,
Roel
More information about the Users
mailing list