[Openswan Users] Understanding log messages

Jason Voorhees jvoorhees1 at gmail.com
Fri May 11 10:57:18 EDT 2012 

On Fri, May 11, 2012 at 12:58 AM, Roel van Meer <roel.vanmeer at bokxing.nl> wrote:
> Jason Voorhees writes:
>
>> I'm almost a newbie OpenSwan user. I configured a two-way connection
>> between openswan 2.6.32 using CentOS 5.8 x86 running
>> 2.6.18-308.4.1.el5 kernel. My configuration file is the following:
>>
>> config setup
>>        protostack=netkey
>>        nat_traversal=yes
>>        nhelpers=0
>>
>> conn %default
>>        ike=3des-sha1;modp1024
>>        phase2=esp
>>        phase2alg=3des-sha1;modp1024
>>        ikelifetime=480m
>>        pfs=yes
>>        type=tunnel
>>        authby=secret
>>        auto=start
>>
>> conn bank-cars
>>        right=W.X.Y.Z
>>        rightsubnet=10.108.3.0/24
>>        left=A.B.C.D
>>        leftid=172.31.64.41
>>        leftsubnet=130.30.0.0/16
>>        aggrmode=no
>>        auto=start
>>
>> conn cars-bank
>>        right=A.B.C.D
>>        rightid=172.31.64.41
>>        rightsubnet=130.30.0.0/16
>>        left=W.X.Y.Z
>>        leftsubnet=10.108.3.0/24
>>        aggrmode=no
>>        auto=start
>
>
> First: you need to specify a connection only once. The 'left' and 'right'
> parameters are interchangable, so your bank-cars and cars-bank definitions
> are effectively identical.
>
> You can use the 'auto' parameter to define which side will initiate the
> connection. With auto=start openswan will initiate a connection, with
> auto=add openswan will set everything up and then wait for the other end to
> initiate.
>

Thanks Roel, those were two basic points that I wasn't sure whay they
mean. If I want to comunicate "bank" to "cars" and "cars" to "bank"
-both ways- is it only necessary one definition like the first one?:

conn bank-cars
       right=W.X.Y.Z
       rightsubnet=10.108.3.0/24
       left=A.B.C.D
       leftid=172.31.64.41
       leftsubnet=130.30.0.0/16
       aggrmode=no
       auto=start

What determines if traffic from "bank" to "cars" subnet or viceversa
is allowed or not? Is it maybe an firewall/ACL/iptable rule?
How can I know if Juniper is configured to start the connection? It
could be letting my connection in "add" status and just wait to be
connected by the Juniper appliance?


>>
>> [...]
>>
>> My /etc/ipsec.secrets looks like this:
>>
>> 172.31.64.41 W.X.Y.Z : PSK "strongpassword"
>> A.B.C.D W.X.Y.Z : PSK "strongpassword"
>> W.X.Y.Z A.B.C.D : PSK "strongpassword"
>
>
> Same here: the last two lines are identical.
>
>
>> The Linux server running OpenSwan is "cars" and the other server is a
>> Juniper NetScreen known as "bank". The connection is stablished, at
>> least PING is working between subnets in both ways, but I'm  getting
>> some messages in logs that I'm not sure what they mean, like this:
>>
>> Message 1
>> ========
>> May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #31: starting keying
>> attempt 30 of an unlimited number
>> May 10 16:54:18 vpnmml pluto[13698]: "cars-bank" #32: initiating Quick
>> Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK to replace #31
>> {using isakmp#1 msgid:b3bc2b0b proposal=3DES(3)_192-SHA1(2)_160
>> pfsgroup=OAKLEY_GROUP_MODP1024}
>> May 10 16:55:28 vpnmml pluto[13698]: "cars-bank" #32: max number of
>> retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to
>> our first Quick Mode message: perhaps peer likes no proposal
>
>
> I don't have a 100% correct technical answer, but this message means that
> the remote end doesn't want to establish a tunnel with you. Of course, that
> might be the result of you already having a tunnel..
>
>
>> Message 2
>> ========
>> May 10 16:21:38 vpnmml pluto[13698]: "cars-interbank" #4: ignoring
>> informational payload, type IPSEC_RESPONDER_LIFETIME msgid=f45f1aaf
>> May 10 16:21:38 vpnmml pluto[13698]: "cars-bank" #4: cannot install
>> eroute -- it is in use for "bank-cars" #3
>>
>> What does "cannot install eroute" means?
>
>
> This, I think, is caused by the duplicate tunnel definition you have. If the
> second tunnel is started, openswan tries to route the remote net through
> that tunnel, but it can't because it is already routed through the first
> tunnel.
>
>
>> I started looking at this errors as a consequence of continuous (but
>> randomly) disconnections reported by users. I don't know if I need to
>> activate DPD, keepalive forced or something like that to deal with
>> disconnections.
>>
>> I hope you can give me some ideas.
>
>
> I'd start with removing one of the definitions; that should certainly help.
>
> Good luck,
>
> Roel
>

According to your previous explanation I can suspect that those two
error messages are being caused by the duplicated connection. I'll try
and see if the same error it keeps appearing.

thanks

More information about the Users mailing list