[Openswan Users] Problem with Openswan beyond NAT

Rodolfo Giometti giometti at enneenne.com
Wed Oct 23 14:31:59 UTC 2013 

On Wed, Oct 16, 2013 at 04:22:49PM +0200, Rodolfo Giometti wrote:
> 
> Looking better at the pluto's messages I see:
> 
> pluto[1029]: "selta_0" #17: DPD: could not find newest phase 1 state
> pluto[1029]: "selta_1" #19: DPD: could not find newest phase 1 state
> pluto[1029]: "selta_0" #20: DPD: could not find newest phase 1 state
> 
> Can this problem be related to Dead Peer Detection beyound NAT-T?

regarding my problem on NAT-T I discovered a way to hang pluto on
NAT-T! I simply set a quicker key and isakmp negotiation into CISCO
settings as follow:

crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
 lifetime 60      <-------------------------------------------------

crypto map IPSEC_TUNNEL 10 ipsec-isakmp
 set peer 192.168.10.2
 set security-association lifetime seconds 120   <------------------
 set transform-set MYSET
 match address 101

Here output of plutodebug=all:

#
# pluto[16100]: "selta_0" #1: received Delete SA payload: deleting
# ISAKMP State #1
pluto[16100]: packet from 172.21.59.66:4500: received and ignored
# informational message
pluto[16100]: "selta_1" #3: DPD: could not find newest phase 1 state
pluto[16100]: "selta_0" #2: DPD: could not find newest phase 1 state

# date
Tue Oct 22 15:01:09 UTC 2013
# pluto[16100]: packet from 172.21.59.66:4500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-07] method set to=112
pluto[16100]: packet from 172.21.59.66:4500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using
method 112
pluto[16100]: packet from 172.21.59.66:4500: received Vendor ID
payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using
method 112
pluto[16100]: "selta_0" #4: responding to Main Mode
pluto[16100]: "selta_0" #4: transition from state STATE_MAIN_R0 to
state STATE_MAIN_R1
pluto[16100]: "selta_0" #4: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[16100]: "selta_0" #4: received 1 malformed payload notifies

And then pluto hangs!!!

Note: when everything works well by disconnecting the cable I get

pluto[6599]: "selta_0" #1: DPD: No response from peer - declaring peer
dead
pluto[6599]: "selta_0" #1: DPD: Restarting Connection

But, when pluto hangs as above, nothing happens even disconnecting the
cable! :'(

Any advice?

Rodolfo

-- 

GNU/Linux Solutions                  e-mail: giometti at enneenne.com
Linux Device Driver                          giometti at linux.it
Embedded Systems                     phone:  +39 349 2432127
UNIX programming                     skype:  rodolfo.giometti
Freelance ICT Italia - Consulente ICT Italia - www.consulenti-ict.it

More information about the Users mailing list