[Openswan Users] VPN goes down every couple minutes
Mike Johnston
mjohnston at wiktel.com
Tue Jan 21 02:15:19 EST 2014
I have built a VPN between a Cisco ASA 5505 (at home) and an Ubuntu box
(called gamma) running OpenSWAN. The VPN works, but it stops passing
traffic every couple minutes and then recovers after several seconds.
In the logs, I see output like the text below. During this output, the
link stopped passing traffic a couple of times.
What can I do to get the VPN to be more stable?
Jan 21 00:30:35 gamma pluto[4526]: "home/0x0" #13: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #11 {using
isakmp#2 msgid:c23c5341 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:30:35 gamma pluto[4526]: "home/0x0" #13: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:30:35 gamma pluto[4526]: "home/0x0" #13: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0xabaa85e2 <0x1290b7b0
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:31:05 gamma pluto[4526]: "home/0x1" #12: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:31:05 gamma pluto[4526]: "home/0x1" #12: starting keying
attempt 5 of an unlimited number
Jan 21 00:31:05 gamma pluto[4526]: "home/0x1" #14: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #12 {using
isakmp#2 msgid:14b7a759 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:31:05 gamma pluto[4526]: "home/0x1" #14: cannot install eroute
-- it is in use for "home/0x0" #13
Jan 21 00:31:13 gamma pluto[4526]: "home/0x1" #14: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:31:31 pluto[4526]: last message repeated 2 times
Jan 21 00:31:31 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x2570da35) not found (maybe expired)
Jan 21 00:31:31 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:31:35 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #13 in 10 seconds
Jan 21 00:31:35 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:31:45 gamma pluto[4526]: "home/0x0" #15: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #13 {using
isakmp#2 msgid:e6986856 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:31:45 gamma pluto[4526]: "home/0x0" #15: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:31:45 gamma pluto[4526]: "home/0x0" #15: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0x513ba63e <0xd4a6a573
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:32:15 gamma pluto[4526]: "home/0x1" #14: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:32:15 gamma pluto[4526]: "home/0x1" #14: starting keying
attempt 6 of an unlimited number
Jan 21 00:32:15 gamma pluto[4526]: "home/0x1" #16: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #14 {using
isakmp#2 msgid:a78427f6 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:32:15 gamma pluto[4526]: "home/0x1" #16: cannot install eroute
-- it is in use for "home/0x0" #15
Jan 21 00:32:23 gamma pluto[4526]: "home/0x1" #16: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:32:41 pluto[4526]: last message repeated 2 times
Jan 21 00:32:41 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x2df99f3d) not found (maybe expired)
Jan 21 00:32:41 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:32:45 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #15 in 10 seconds
Jan 21 00:32:45 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:32:55 gamma pluto[4526]: "home/0x0" #17: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #15 {using
isakmp#2 msgid:e43cf640 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:32:55 gamma pluto[4526]: "home/0x0" #17: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:32:55 gamma pluto[4526]: "home/0x0" #17: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0x508336aa <0x2ede2093
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:33:25 gamma pluto[4526]: "home/0x1" #16: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:33:25 gamma pluto[4526]: "home/0x1" #16: starting keying
attempt 7 of an unlimited number
Jan 21 00:33:25 gamma pluto[4526]: "home/0x1" #18: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #16 {using
isakmp#2 msgid:4ba4eace proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:33:25 gamma pluto[4526]: "home/0x1" #18: cannot install eroute
-- it is in use for "home/0x0" #17
Jan 21 00:33:33 gamma pluto[4526]: "home/0x1" #18: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:33:51 pluto[4526]: last message repeated 2 times
Jan 21 00:33:51 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x69df2a55) not found (maybe expired)
Jan 21 00:33:51 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:33:55 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #17 in 10 seconds
Jan 21 00:33:55 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:34:05 gamma pluto[4526]: "home/0x0" #19: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #17 {using
isakmp#2 msgid:548eae2a proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:34:05 gamma pluto[4526]: "home/0x0" #19: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:34:05 gamma pluto[4526]: "home/0x0" #19: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0x3cfd5131 <0xd576b7fe
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:34:35 gamma pluto[4526]: "home/0x1" #18: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:34:35 gamma pluto[4526]: "home/0x1" #18: starting keying
attempt 8 of an unlimited number
Jan 21 00:34:35 gamma pluto[4526]: "home/0x1" #20: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #18 {using
isakmp#2 msgid:41093a18 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:34:35 gamma pluto[4526]: "home/0x1" #20: cannot install eroute
-- it is in use for "home/0x0" #19
Jan 21 00:34:43 gamma pluto[4526]: "home/0x1" #20: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:35:01 pluto[4526]: last message repeated 2 times
Jan 21 00:35:01 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xc22988b3) not found (maybe expired)
Jan 21 00:35:01 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:35:05 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #19 in 10 seconds
Jan 21 00:35:05 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:35:15 gamma pluto[4526]: "home/0x0" #21: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #19 {using
isakmp#2 msgid:b59f4d40 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:35:15 gamma pluto[4526]: "home/0x0" #21: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:35:15 gamma pluto[4526]: "home/0x0" #21: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0x17c0ec2a <0xaa412bf1
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:35:45 gamma pluto[4526]: "home/0x1" #20: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:35:45 gamma pluto[4526]: "home/0x1" #20: starting keying
attempt 9 of an unlimited number
Jan 21 00:35:45 gamma pluto[4526]: "home/0x1" #22: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #20 {using
isakmp#2 msgid:eed530c9 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:35:45 gamma pluto[4526]: "home/0x1" #22: cannot install eroute
-- it is in use for "home/0x0" #21
Jan 21 00:35:53 gamma pluto[4526]: "home/0x1" #22: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:36:11 pluto[4526]: last message repeated 2 times
Jan 21 00:36:11 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0xb9c1ab47) not found (maybe expired)
Jan 21 00:36:11 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:36:15 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #21 in 10 seconds
Jan 21 00:36:15 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:36:25 gamma pluto[4526]: "home/0x0" #23: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #21 {using
isakmp#2 msgid:1107d958 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:36:25 gamma pluto[4526]: "home/0x0" #23: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:36:25 gamma pluto[4526]: "home/0x0" #23: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0x3986f54f <0x96e4ead2
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:36:55 gamma pluto[4526]: "home/0x1" #22: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:36:55 gamma pluto[4526]: "home/0x1" #22: starting keying
attempt 10 of an unlimited number
Jan 21 00:36:55 gamma pluto[4526]: "home/0x1" #24: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #22 {using
isakmp#2 msgid:473fcded proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:36:55 gamma pluto[4526]: "home/0x1" #24: cannot install eroute
-- it is in use for "home/0x0" #23
Jan 21 00:37:03 gamma pluto[4526]: "home/0x1" #24: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:37:21 pluto[4526]: last message repeated 2 times
Jan 21 00:37:21 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x39b759f5) not found (maybe expired)
Jan 21 00:37:21 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:37:25 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #23 in 10 seconds
Jan 21 00:37:25 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:37:25 gamma pluto[4526]: "home/0x2" #2: the peer proposed:
10.100.105.0/27:0/0 -> 10.100.100.0/24:0/0
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: responding to Quick
Mode proposal {msgid:f4dc29a4}
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: us:
10.100.105.0/27===111.111.111.111<111.111.111.111>[+S=C]
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: them:
222.222.222.222<222.222.222.222>[+S=C]===10.100.100.0/24
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: keeping
refhim=4294901761 during rekey
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 00:37:25 gamma pluto[4526]: "home/0x0" #25: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0x87a07112 <0x633d46c4
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:38:05 gamma pluto[4526]: "home/0x1" #24: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:38:05 gamma pluto[4526]: "home/0x1" #24: starting keying
attempt 11 of an unlimited number
Jan 21 00:38:05 gamma pluto[4526]: "home/0x1" #26: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #24 {using
isakmp#2 msgid:42a8404b proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:38:05 gamma pluto[4526]: "home/0x1" #26: cannot install eroute
-- it is in use for "home/0x0" #25
Jan 21 00:38:13 gamma pluto[4526]: "home/0x1" #26: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:38:31 pluto[4526]: last message repeated 2 times
Jan 21 00:38:31 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x95bc8432) not found (maybe expired)
Jan 21 00:38:31 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:38:35 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #25 in 10 seconds
Jan 21 00:38:35 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:38:35 gamma pluto[4526]: "home/0x1" #26: cannot install eroute
-- it is in use for "home/0x0" #25
Jan 21 00:38:43 gamma pluto[4526]: "home/0x1" #26: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:38:45 gamma pluto[4526]: "home/0x0" #27: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #25 {using
isakmp#2 msgid:907adcc1 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:38:51 gamma pluto[4526]: "home/0x1" #26: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:38:55 gamma pluto[4526]: "home/0x0" #25: IPsec SA expired
(LATEST!)
Jan 21 00:38:59 gamma pluto[4526]: "home/0x1" #26: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:39:07 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x8578d5b7) not found (maybe expired)
Jan 21 00:39:07 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:39:07 gamma pluto[4526]: "home/0x2" #2: the peer proposed:
10.100.105.0/27:0/0 -> 10.100.100.0/24:0/0
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: responding to Quick
Mode proposal {msgid:ec4394a1}
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: us:
10.100.105.0/27===111.111.111.111<111.111.111.111>[+S=C]
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: them:
222.222.222.222<222.222.222.222>[+S=C]===10.100.100.0/24
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 00:39:07 gamma pluto[4526]: "home/0x0" #28: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0x2da2a3bb <0xd4e84152
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:39:15 gamma pluto[4526]: "home/0x1" #26: max number of
retransmissions (2) reached STATE_QUICK_I1. No acceptable response to
our first Quick Mode message: perhaps peer likes no proposal
Jan 21 00:39:15 gamma pluto[4526]: "home/0x1" #26: starting keying
attempt 12 of an unlimited number
Jan 21 00:39:15 gamma pluto[4526]: "home/0x1" #29: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #26 {using
isakmp#2 msgid:1ba04303 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:39:15 gamma pluto[4526]: "home/0x0" #27: ERROR: netlink
response for Add SA esp.2b2fb19a at 111.111.111.111 included errno 3: No
such process
Jan 21 00:39:23 gamma pluto[4526]: "home/0x0" #27: discarding duplicate
packet; already STATE_QUICK_I1
Jan 21 00:39:45 pluto[4526]: last message repeated 2 times
Jan 21 00:39:45 gamma pluto[4526]: "home/0x2" #2: received Delete SA
payload: replace IPSEC State #28 in 10 seconds
Jan 21 00:39:45 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:39:47 gamma pluto[4526]: "home/0x2" #2: ignoring Delete SA
payload: PROTO_IPSEC_ESP SA(0x0e8787e8) not found (maybe expired)
Jan 21 00:39:47 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
Jan 21 00:39:47 gamma pluto[4526]: "home/0x2" #2: the peer proposed:
10.100.105.0/27:0/0 -> 10.100.100.0/24:0/0
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: responding to Quick
Mode proposal {msgid:b1d4ecc4}
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: us:
10.100.105.0/27===111.111.111.111<111.111.111.111>[+S=C]
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: them:
222.222.222.222<222.222.222.222>[+S=C]===10.100.100.0/24
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: keeping
refhim=4294901761 during rekey
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: transition from state
STATE_QUICK_R0 to state STATE_QUICK_R1
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: STATE_QUICK_R1: sent
QR1, inbound IPsec SA installed, expecting QI2
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: transition from state
STATE_QUICK_R1 to state STATE_QUICK_R2
Jan 21 00:39:47 gamma pluto[4526]: "home/0x0" #30: STATE_QUICK_R2: IPsec
SA established tunnel mode {ESP=>0x38ec6b85 <0x8b859d81
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:39:55 gamma pluto[4526]: "home/0x0" #27: max number of
retransmissions (2) reached STATE_QUICK_I1
Jan 21 00:39:55 gamma pluto[4526]: "home/0x0" #27: starting keying
attempt 2 of an unlimited number
Jan 21 00:39:55 gamma pluto[4526]: "home/0x0" #31: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK to replace #27 {using
isakmp#2 msgid:f0940246 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=no-pfs}
Jan 21 00:39:55 gamma pluto[4526]: "home/0x0" #31: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Jan 21 00:39:55 gamma pluto[4526]: "home/0x0" #31: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0xe5c977e6 <0x2fe03fd4
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jan 21 00:39:55 gamma pluto[4526]: "home/0x2" #2: received Delete
SA(0x38ec6b85) payload: deleting IPSEC State #30
Jan 21 00:39:55 gamma pluto[4526]: "home/0x2" #2: received and ignored
informational message
The items that stand out to me are:
- The fact that it never goes into STATE MAIN
- max number of retransmissions (2) reached STATE_QUICK_I1. No
acceptable response to our first Quick Mode message: perhaps peer
likes no proposal
- cannot install eroute -- it is in use for "home/0x0" #25
- ERROR: netlink response for Add SA esp.2b2fb19a at 111.111.111.111
included errno 3: No such process
My config on gamma is as follows.
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
conn home
authby=secret
auto=start
type=tunnel
left=111.111.111.111
leftsourceip=10.100.105.1
leftsubnet=10.100.105.0/27
right=222.222.222.222
rightsourceip=10.100.100.1
rightsubnet=10.100.100.0/24
rightsubnets={10.100.100.0/24 10.100.101.0/24}
ike=aes128-sha1
phase2=esp
phase2alg=aes128-sha1
pfs=no
The relevant parts of the ASA config are as follows. Note that this
config also allows users to VPN in.
same-security-traffic permit intra-interface
access-list nonat extended permit ip 10.100.100.0 255.255.255.0
10.100.101.0 255.255.255.0
access-list nonat extended permit ip 10.100.100.0 255.255.255.0
10.100.105.0 255.255.255.224
access-list nonat extended permit ip 10.100.101.0 255.255.255.0
10.100.105.0 255.255.255.224
access-list nonat extended permit ip 10.100.105.0 255.255.255.224
10.100.101.0 255.255.255.0
access-list to-gamma extended permit ip 10.100.100.0 255.255.255.0
10.100.105.0 255.255.255.224
access-list to-gamma extended permit ip 10.100.101.0 255.255.255.0
10.100.105.0 255.255.255.224
access-list vpn_nets standard permit 10.100.100.0 255.255.255.0
access-list vpn_nets standard permit 10.100.101.0 255.255.255.0
access-list vpn_nets standard permit 10.100.105.0 255.255.255.224
ip local pool clientVPNpool 10.100.101.201-10.100.101.219 mask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_SHA esp-aes esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_AES_SHA mode transport
crypto ipsec transform-set TRANS_ESP_AES_SHA_L2L esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 1 set transform-set TRANS_ESP_AES_SHA
TRANS_ESP_3DES_SHA
crypto map outside_map 30 match address to-gamma
crypto map outside_map 30 set peer 111.111.111.111
crypto map outside_map 30 set transform-set TRANS_ESP_AES_SHA_L2L
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
management-access inside
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
wins-server none
dns-server value 10.100.100.11 10.100.100.12
vpn-tunnel-protocol IPSec l2tp-ipsec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn_nets
default-domain value lan2.org
split-dns value example.com
intercept-dhcp 255.255.255.0 enable
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *****
More information about the Users
mailing list