[Openswan Users] Established Tunnel Not Passing Traffic

Dave Ariens dave at ariens.ca
Thu Jun 27 14:25:44 UTC 2013


Hey there guys (first time posting),

I have two servers (VPS) one on the US east coast, another on US west
coast.  They both have an IPsec tunnel to my Juniper SRX firewall (on my
home network in Ontario, Canada).  This tunnel is rock solid and I never
have any issues with it.

I'm trying to configure an OpenSwan IPsec tunnel between the two VMs, and
it's up and running, I can ping through the tunnel, but some time
afterwards, traffic is unable to pass (tunnel remains established).

This is really just a plain vanilla OpenSwan to OpenSwan implementation,
below are some config details, and some logs.

Can anyone help me identify why the tunnel stops passing traffic after some
time < 15 minutes.  I know the traffic stopped shortly after midnight this
morning (see logs below)

[ariens at vps1 ~]$ pacman -Qs openswan
local/openswan 2.6.38-1
    Open Source implementation of IPsec for the Linux operating system


VPS2:/etc/ipsec.conf

version 2.0
config setup

    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:
10.0.0.0/8,%v4:!192.168.200.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=netkey

conn home.ariens.ca

    authby=secret
    left=173.254.195.244
    leftsourceip=192.168.200.10
    leftsubnet=0/0
    right=216.58.86.104
    rightsubnet=10.0.0.0/8
    auto=start

conn vps1

    authby=secret
    left=173.254.195.244
    leftsourceip=192.168.200.10
    leftsubnet=192.168.200.10/32
    right=64.237.39.24
    rightsubnet=192.168.100.10/32
    auto=start

VPS1:/etc/ipsec.conf

version 2.0

config setup

    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:
10.0.0.0/8,%v4:!192.168.100.0/24,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    oe=off
    protostack=netkey

conn home.ariens.ca

    authby=secret
    left=64.237.39.24
    leftsourceip=192.168.100.10
    leftsubnet=0/0
    right=216.58.86.104
    rightsubnet=10.0.0.0/8
    auto=start

conn vps2

    authby=secret
    left=64.237.39.24
    leftsourceip=192.168.100.10
    leftsubnet=192.168.100.10/32
    right=173.254.195.244
    rightsubnet=192.168.200.10/32
    auto=start

Logs from VPS1:

Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload [Openswan (this version)
2.6.38 ]
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload [RFC 3947] method set to=115
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: responding to
Main Mode
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: Main mode peer
ID is ID_IPV4_ADDR: '173.254.195.244'
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 00:04:49 vps1.layerzero.ca pluto[28819]: "vps2" #17: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received Vendor
ID payload [Openswan (this version) 2.6.38 ]
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received Vendor
ID payload [Dead Peer Detection]
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received Vendor
ID payload [RFC 3947] method set to=115
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: STATE_MAIN_I2:
sent MI2, expecting MR2
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: STATE_MAIN_I3:
sent MI3, expecting MR3
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: received Vendor
ID payload [CAN-IKEv2]
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: Main mode peer
ID is ID_IPV4_ADDR: '173.254.195.244'
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 27 00:05:27 vps1.layerzero.ca pluto[28819]: "vps2" #16: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 00:09:01 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: Informational Exchange is for an unknown (expired?) SA
with MSGID:0xf86c4eb8
Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: "vps2" #13: received Delete
SA payload: deleting ISAKMP State #13
Jun 27 00:09:19 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received and ignored informational message
Jun 27 00:48:54 vps1.layerzero.ca pluto[28819]: "vps2" #19: initiating Main
Mode to replace #16
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload [Openswan (this version)
2.6.38 ]
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload [Dead Peer Detection]
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload [RFC 3947] method set to=115
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: responding to
Main Mode
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: Main mode peer
ID is ID_IPV4_ADDR: '173.254.195.244'
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 01:00:57 vps1.layerzero.ca pluto[28819]: "vps2" #20: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received Vendor
ID payload [Openswan (this version) 2.6.38 ]
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received Vendor
ID payload [Dead Peer Detection]
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received Vendor
ID payload [RFC 3947] method set to=115
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: STATE_MAIN_I2:
sent MI2, expecting MR2
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: STATE_MAIN_I3:
sent MI3, expecting MR3
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: received Vendor
ID payload [CAN-IKEv2]
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: Main mode peer
ID is ID_IPV4_ADDR: '173.254.195.244'
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 27 01:01:24 vps1.layerzero.ca pluto[28819]: "vps2" #19: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 01:04:49 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: Informational Exchange is for an unknown (expired?) SA
with MSGID:0x4a2e1ab1
Jun 27 01:05:27 vps1.layerzero.ca pluto[28819]: packet from
173.254.195.244:500: Informational Exchange is for an unknown (expired?) SA
with MSGID:0x999b390f

Logs for VPS2:

Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: initiating Main
Mode to replace #11
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received Vendor
ID payload [Openswan (this version) 2.6.38 ]
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received Vendor
ID payload [Dead Peer Detection]
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received Vendor
ID payload [RFC 3947] method set to=115
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: enabling
possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition from
state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: STATE_MAIN_I2:
sent MI2, expecting MR2
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition from
state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: STATE_MAIN_I3:
sent MI3, expecting MR3
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: received Vendor
ID payload [CAN-IKEv2]
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: Main mode peer
ID is ID_IPV4_ADDR: '64.237.39.24'
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: transition from
state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 27 00:05:04 vps2.layerzero.ca pluto[29906]: "vps1" #13: STATE_MAIN_I4:
ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [Openswan (this version) 2.6.38 ]
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [Dead Peer Detection]
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [RFC 3947] method set to=115
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but
already using method 115
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but
already using method 115
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but
already using method 115
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: responding to
Main Mode
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition from
state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: STATE_MAIN_R1:
sent MR1, expecting MI2
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: NAT-Traversal:
Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition from
state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: STATE_MAIN_R2:
sent MR2, expecting MI3
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: Main mode peer
ID is ID_IPV4_ADDR: '64.237.39.24'
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: transition from
state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 27 00:05:42 vps2.layerzero.ca pluto[29906]: "vps1" #14: STATE_MAIN_R3:
sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128
prf=oakley_sha group=modp2048}
Jun 27 00:09:34 vps2.layerzero.ca pluto[29906]: packet from 64.237.39.24:500:
Informational Exchange is for an unknown (expired?) SA with MSGID:0xb8f1bbda




-- 
www.ariens.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130627/6a14f2d0/attachment-0001.html>


More information about the Users mailing list