[Openswan Users] Tunnel up for PING but not for others...

Adriano Colaianni a.colaianni at ari-srl.it
Fri Jun 12 07:02:01 EDT 2015


Hi,
     i've a VPN site-by-site: firesede-molo

on site firesede:
[root at firesede ~]# uname -a
Linux firesede 2.6.30.10-105.2.23.fc11.i586 #1 SMP Thu Feb 11 06:51:26 
UTC 2010 i686 athlon i386 GNU/Linux
[root at firesede ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.25/K2.6.30.10-105.2.23.fc11.i586 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
   or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
   or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]





on site molo:
[root at firemolo ~]# uname -a
Linux firemolo 2.6.30.10-105.2.23.fc11.i586 #1 SMP Thu Feb 11 06:51:26 
UTC 2010 i686 athlon i386 GNU/Linux
[root at firemolo ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.25/K2.6.30.10-105.2.23.fc11.i586 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

   Please disable /proc/sys/net/ipv4/conf/*/send_redirects
   or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

   Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
   or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
[root at firemolo ~]#



  the ipsec config is the same :

# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0     # conforms to second version of ipsec.conf specification
# basic configuration
config setup
         # Debug-logging controls:  "none" for (almost) none, "all" for 
lots.
         # klipsdebug=none
         # plutodebug="control parsing"
         # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
         protostack=netkey
         nat_traversal=yes
         virtual_private=
         oe=off
         # Enable this if you see "failed to find any available worker"
         nhelpers=0


conn firesede-molo
         left=93.62.245.4
         leftsubnet=192.168.40.0/24
         leftnexthop=93.62.245.1
         right=2.228.148.146
         rightsubnet=192.168.114.0/24
         rightnexthop=2.228.148.145
         auto=start
         authby=rsasig
leftrsasigkey=0sAQP3cMK7KH2ltMCeEHexRfHTgQJfY0RI9IVEFDBqQB3wCmH85VVmFOpf
4x2uFVaFmizu7iiV5zP49lXGjpdiP+k5bKZXvvDMc/fJ4YQO+UYsA0nYBe/eEBsCi3c+6YV+SKiq0d28
7++n4OE/AS869SdFJ7gyc9J1c41cb8skBO9vVKByyR5YhsKaZNMFXiPNM8Vh8fKNzIwlb02KUce/dMd0
dsdssGvk+GjHUM48EiIAvV3s8GSpBExbjIaHBibvrwd7OVWK0j3mqh/dWZK7GxkUoppUcp69QmDGAXdY
XQjsVY76Mmhu6+7n9Dvmx+6qozNlwdasrSNdGJqOB5ojoeZLdTCCncFCZ8OfzhNpZIaAnkpJ
rightrsasigkey=0sAQOsC0iyReGlWCeygUv6wRcQLY7aN/RE1ifCSzo+eKZ2U617kO1JKIU
HX4+C0oD1xvP2GOG82TfTodfo+slcaClw26qHAI4gYWKNLlrK0jyNhfHHVjEk6Q3pbs99XqKe04hnyUl
due8SA0IC3OBkCIlj+2UJQ1y6hrlRQQlfVCExtbNYZB6uqvakXM3OoTuLOxIe8V0jX74GC2a5czQ/2JA
WrJLM+qeVH6coRsdds+aKaVuNMKJimtmkuFlEe5I+H6eFgNqkj64DF4YIAGjTK1YYzCzQPKs0PKDakMK
JOnfYLWgqKHyUPa4geDhqfFPSc9SNTbNJoCvT77EayU3m9Lp2wWoFoDGvK58HSze24efEGBsd



the tunnel was established correctly and works fine for a few hours.
Randomically it breaks to work fine and only ping works.
SSH, Telnet,UUCP don't work until  I restart ipsec service on "firesede" 
side.

Here the secure log:

[root at firesede ~]# tail -f /var/log/secure|grep firesede-molo
Jun 12 10:34:14 firesede pluto[23397]: "firesede-molo" #1444: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x39db4970 <0x48745838 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA payload: replace IPSEC State #1444 in 10 seconds
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x704d6c10) payload: deleting IPSEC State #1443
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x175d348d) payload: deleting IPSEC State #1442
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x483301fb) payload: deleting IPSEC State #1441
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x2bd3c6b0) payload: deleting IPSEC State #1440
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0xfb69a91e) payload: deleting IPSEC State #1439
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x6081d0dd) payload: deleting IPSEC State #1432
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x6d182672) payload: deleting IPSEC State #1417
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0xeae9d408) payload: deleting IPSEC State #1416
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x255c61ff) payload: deleting IPSEC State #1415
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0xd3ade40e) payload: deleting IPSEC State #1414
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x6ddfa5ab) payload: deleting IPSEC State #1413
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0x6565c51b) payload: deleting IPSEC State #1411
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA(0xa84eab99) payload: deleting IPSEC State #1410
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received 
Delete SA payload: deleting ISAKMP State #1409
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: responding 
to Main Mode
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: transition 
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: 
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: 
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: transition 
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: 
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: Main mode 
peer ID is ID_IPV4_ADDR: '2.228.148.146'
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: transition 
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: 
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG 
cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1453: the peer 
proposed: 192.168.40.0/24:0/0 -> 192.168.114.0/24:0/0
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: responding 
to Quick Mode proposal {msgid:7b090de3}
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: us: 
192.168.40.0/24===93.62.245.4<93.62.245.4>[+S=C]---93.62.245.1
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: them: 
2.228.148.145---2.228.148.146<2.228.148.146>[+S=C]===192.168.114.0/24
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: keeping 
refhim=4294901761 during rekey
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: transition 
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: 
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: transition 
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: 
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9780252f 
<0x0ca72632 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 12 10:36:19 firesede pluto[23397]: "firesede-molo" #1460: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:fc38e88b proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:36:20 firesede pluto[23397]: "firesede-molo" #1460: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:36:20 firesede pluto[23397]: "firesede-molo" #1460: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x2cabecb2 <0xe93d42ae xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:37:07 firesede pluto[23397]: "firesede-molo" #1466: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:5bb7dcbe proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:07 firesede pluto[23397]: "firesede-molo" #1466: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:07 firesede pluto[23397]: "firesede-molo" #1466: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x8341243e <0x7e93c775 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1470: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:379170d7 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1471: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:f7a87bbd proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1472: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:0f47b37e proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1473: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:228cd4be proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1474: initiating 
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453 
msgid:fa900eb4 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1470: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1470: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0xeb8cad3a <0xfad665c8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1471: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1471: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0xdfe6e27c <0x3a4de664 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1472: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1472: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x933e0c8e <0xe779332a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1473: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1473: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0x0b4598b6 <0x01562469 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1474: transition 
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1474: 
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode 
{ESP=>0xd80eaea8 <0x81b9b6f3 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none 
DPD=none}


It seems that the state won't go on the correct value.

I suspect that the cause is the instable connection....


Thanks
     Regards




More information about the Users mailing list