[Openswan Users] Openswan keeps resending Phase 1 messages but tunnel is working correctly

Lennart Regner Lennart.Regner at fsenetwork.com
Fri Apr 25 07:22:33 EDT 2014


Hi everyone,

my openswan <-> openswan tunnel is working completely fine, but the server keeps retransmitting phase 1 messages until the tunnel collapses.
My setup is like this:
192.168.54.0/24 -> openswan a.b.c.d <----------> openswan w.x.y.z <- 192.168.0.0/24

The tunnel comes up and works (can transmit data from left to right), but soon after, the right side retransmits phase 1 messages and receives no answer, thus shutting down everything at attempt 3xx or so.

Left config:

version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
#       nat_traversal=yes
#       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=auto
        interfaces=%defaultorute
        uniqueids=yes

# Add connections here

# default settings for connections
conn %default
        keyingtries=0
        disablearrivalcheck=no
        authby=rsasig

conn conn1
        authby=secret
        left=a.b.c.d
        leftid="a.b.c.d"
        leftsubnet=192.168.54.0/24
        right=w.x.y.z
        rightid="w.x.y.z"
        rightsubnet=192.168.50.0/24
        auto=start

        type=tunnel
        keyexchange=ike
        ike=3des-md5-modp1024,aes256-sha1-modp1024
        ikelifetime=86400s
        rekey=yes
        phase2=esp
        phase2alg=3des-md5;modp1024
        pfs=no


Right config:

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        dumpdir=/var/run/pluto/
#       nat_traversal=yes
        oe=off
        protostack=auto
        interfaces="ipsec0=eth1"
        virtual_private=%v4:192.168.0.0/16,%v4:!172.16.0.0/12,%v4:!192.168.0.0/24,%v4:!192.168.50.0/24,%v4:!192.168.40.0/24,%v4:!192.168.8.0/24

# default settings for connections
conn %default
        keyingtries=0

conn conn1
        authby=secret
        left=a.b.c.d
        leftid="a.b.c.d"
        leftsubnet=192.168.54.0/24
        right=w.x.y.z
        rightid="w.x.y.z"
        rightsubnet=192.168.50.0/24
        auto=start

        type=tunnel
        keyexchange=ike
        ike=3des-md5-modp1024,aes256-sha1-modp1024
        ikelifetime=86400s
        rekey=yes
        phase2=esp
        phase2alg=3des-md5;modp1024
        pfs=no


There is no NAT-T involved as the public IPs of left and right are in my own class C net and face the internet directly.

left ipsec auto --status:
000 "conn1": 192.168.54.0/24===a.b.c.d<a.b.c.d>[+S=C]...w.x.y.z<w.x.y.z>[+S=C]===192.168.50.0/24; erouted; eroute owner: #2
000 "conn1":     myip=unset; hisip=unset;
000 "conn1":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "conn1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "conn1":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "conn1":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "conn1":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "conn1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "conn1":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict
000 "conn1":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "conn1":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #343: "conn1":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 4s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #2: "conn1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 12260s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "conn1" esp.7d011f40 at w.x.y.z esp.edb8e4ff at a.b.c.d tun.0 at w.x.y.z tun.0 at a.b.c.d ref=0 refhim=4294901761
000 #1: "conn1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 70286s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #344: "conn1":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0); idle; import:not set

right ipsec auto --status:
000 "conn1": 192.168.50.0/24===w.x.y.z<w.x.y.z>[+S=C]...a.b.c.d<a.b.c.d>[+S=C]===192.168.54.0/24; erouted; eroute owner: #4
000 "conn1":     myip=unset; hisip=unset;
000 "conn1":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "conn1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "conn1":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "conn1":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "conn1":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "conn1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "conn1":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict
000 "conn1":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "conn1":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #4: "conn1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 12904s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "conn1" esp.edb8e4ff at a.b.c.d esp.7d011f40 at w.x.y.z tun.0 at a.b.c.d tun.0 at w.x.y.z ref=0 refhim=4294901761
000 #3: "conn1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 70504s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set


Sometimes the left side even opens up more than 1 tunnel (even 4, seen via ipsec setup status), although the right side has only one.

Can anyone shed some light on this? I'm afraid I'm completely lost here, but I think I am missing something in my configs.

Best regards
Len

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140425/3fccaab3/attachment.html>


More information about the Users mailing list