[Openswan Users] Openswan keeps resending Phase 1 messages but tunnel is working correctly
Lennart Regner
Lennart.Regner at fsenetwork.com
Fri Apr 25 07:22:33 EDT 2014
Hi everyone,
my openswan <-> openswan tunnel is working completely fine, but the server keeps retransmitting phase 1 messages until the tunnel collapses.
My setup is like this:
192.168.54.0/24 -> openswan a.b.c.d <----------> openswan w.x.y.z <- 192.168.0.0/24
The tunnel comes up and works (can transmit data from left to right), but soon after, the right side retransmits phase 1 messages and receives no answer, thus shutting down everything at attempt 3xx or so.
Left config:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# nat_traversal=yes
# virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=auto
interfaces=%defaultorute
uniqueids=yes
# Add connections here
# default settings for connections
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
conn conn1
authby=secret
left=a.b.c.d
leftid="a.b.c.d"
leftsubnet=192.168.54.0/24
right=w.x.y.z
rightid="w.x.y.z"
rightsubnet=192.168.50.0/24
auto=start
type=tunnel
keyexchange=ike
ike=3des-md5-modp1024,aes256-sha1-modp1024
ikelifetime=86400s
rekey=yes
phase2=esp
phase2alg=3des-md5;modp1024
pfs=no
Right config:
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
dumpdir=/var/run/pluto/
# nat_traversal=yes
oe=off
protostack=auto
interfaces="ipsec0=eth1"
virtual_private=%v4:192.168.0.0/16,%v4:!172.16.0.0/12,%v4:!192.168.0.0/24,%v4:!192.168.50.0/24,%v4:!192.168.40.0/24,%v4:!192.168.8.0/24
# default settings for connections
conn %default
keyingtries=0
conn conn1
authby=secret
left=a.b.c.d
leftid="a.b.c.d"
leftsubnet=192.168.54.0/24
right=w.x.y.z
rightid="w.x.y.z"
rightsubnet=192.168.50.0/24
auto=start
type=tunnel
keyexchange=ike
ike=3des-md5-modp1024,aes256-sha1-modp1024
ikelifetime=86400s
rekey=yes
phase2=esp
phase2alg=3des-md5;modp1024
pfs=no
There is no NAT-T involved as the public IPs of left and right are in my own class C net and face the internet directly.
left ipsec auto --status:
000 "conn1": 192.168.54.0/24===a.b.c.d<a.b.c.d>[+S=C]...w.x.y.z<w.x.y.z>[+S=C]===192.168.50.0/24; erouted; eroute owner: #2
000 "conn1": myip=unset; hisip=unset;
000 "conn1": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "conn1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "conn1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "conn1": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "conn1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "conn1": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "conn1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict
000 "conn1": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "conn1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #343: "conn1":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 4s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #2: "conn1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 12260s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "conn1" esp.7d011f40 at w.x.y.z esp.edb8e4ff at a.b.c.d tun.0 at w.x.y.z tun.0 at a.b.c.d ref=0 refhim=4294901761
000 #1: "conn1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 70286s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #344: "conn1":500 STATE_MAIN_R1 (sent MR1, expecting MI2); EVENT_RETRANSMIT in 5s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
right ipsec auto --status:
000 "conn1": 192.168.50.0/24===w.x.y.z<w.x.y.z>[+S=C]...a.b.c.d<a.b.c.d>[+S=C]===192.168.54.0/24; erouted; eroute owner: #4
000 "conn1": myip=unset; hisip=unset;
000 "conn1": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "conn1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth1;
000 "conn1": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "conn1": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "conn1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2), AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "conn1": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "conn1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict
000 "conn1": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "conn1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000
000 #4: "conn1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 12904s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "conn1" esp.edb8e4ff at a.b.c.d esp.7d011f40 at w.x.y.z tun.0 at a.b.c.d tun.0 at w.x.y.z ref=0 refhim=4294901761
000 #3: "conn1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 70504s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
Sometimes the left side even opens up more than 1 tunnel (even 4, seen via ipsec setup status), although the right side has only one.
Can anyone shed some light on this? I'm afraid I'm completely lost here, but I think I am missing something in my configs.
Best regards
Len
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20140425/3fccaab3/attachment.html>
More information about the Users
mailing list