[Openswan Users] Tunnel up for PING but not for others...
Adriano Colaianni
a.colaianni at ari-srl.it
Fri Jun 12 07:02:01 EDT 2015
Hi,
i've a VPN site-by-site: firesede-molo
on site firesede:
[root at firesede ~]# uname -a
Linux firesede 2.6.30.10-105.2.23.fc11.i586 #1 SMP Thu Feb 11 06:51:26
UTC 2010 i686 athlon i386 GNU/Linux
[root at firesede ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.25/K2.6.30.10-105.2.23.fc11.i586 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
on site molo:
[root at firemolo ~]# uname -a
Linux firemolo 2.6.30.10-105.2.23.fc11.i586 #1 SMP Thu Feb 11 06:51:26
UTC 2010 i686 athlon i386 GNU/Linux
[root at firemolo ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.25/K2.6.30.10-105.2.23.fc11.i586 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
[root at firemolo ~]#
the ipsec config is the same :
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for
lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
conn firesede-molo
left=93.62.245.4
leftsubnet=192.168.40.0/24
leftnexthop=93.62.245.1
right=2.228.148.146
rightsubnet=192.168.114.0/24
rightnexthop=2.228.148.145
auto=start
authby=rsasig
leftrsasigkey=0sAQP3cMK7KH2ltMCeEHexRfHTgQJfY0RI9IVEFDBqQB3wCmH85VVmFOpf
4x2uFVaFmizu7iiV5zP49lXGjpdiP+k5bKZXvvDMc/fJ4YQO+UYsA0nYBe/eEBsCi3c+6YV+SKiq0d28
7++n4OE/AS869SdFJ7gyc9J1c41cb8skBO9vVKByyR5YhsKaZNMFXiPNM8Vh8fKNzIwlb02KUce/dMd0
dsdssGvk+GjHUM48EiIAvV3s8GSpBExbjIaHBibvrwd7OVWK0j3mqh/dWZK7GxkUoppUcp69QmDGAXdY
XQjsVY76Mmhu6+7n9Dvmx+6qozNlwdasrSNdGJqOB5ojoeZLdTCCncFCZ8OfzhNpZIaAnkpJ
rightrsasigkey=0sAQOsC0iyReGlWCeygUv6wRcQLY7aN/RE1ifCSzo+eKZ2U617kO1JKIU
HX4+C0oD1xvP2GOG82TfTodfo+slcaClw26qHAI4gYWKNLlrK0jyNhfHHVjEk6Q3pbs99XqKe04hnyUl
due8SA0IC3OBkCIlj+2UJQ1y6hrlRQQlfVCExtbNYZB6uqvakXM3OoTuLOxIe8V0jX74GC2a5czQ/2JA
WrJLM+qeVH6coRsdds+aKaVuNMKJimtmkuFlEe5I+H6eFgNqkj64DF4YIAGjTK1YYzCzQPKs0PKDakMK
JOnfYLWgqKHyUPa4geDhqfFPSc9SNTbNJoCvT77EayU3m9Lp2wWoFoDGvK58HSze24efEGBsd
the tunnel was established correctly and works fine for a few hours.
Randomically it breaks to work fine and only ping works.
SSH, Telnet,UUCP don't work until I restart ipsec service on "firesede"
side.
Here the secure log:
[root at firesede ~]# tail -f /var/log/secure|grep firesede-molo
Jun 12 10:34:14 firesede pluto[23397]: "firesede-molo" #1444:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x39db4970 <0x48745838 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA payload: replace IPSEC State #1444 in 10 seconds
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x704d6c10) payload: deleting IPSEC State #1443
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x175d348d) payload: deleting IPSEC State #1442
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x483301fb) payload: deleting IPSEC State #1441
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x2bd3c6b0) payload: deleting IPSEC State #1440
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0xfb69a91e) payload: deleting IPSEC State #1439
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x6081d0dd) payload: deleting IPSEC State #1432
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x6d182672) payload: deleting IPSEC State #1417
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0xeae9d408) payload: deleting IPSEC State #1416
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x255c61ff) payload: deleting IPSEC State #1415
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0xd3ade40e) payload: deleting IPSEC State #1414
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x6ddfa5ab) payload: deleting IPSEC State #1413
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0x6565c51b) payload: deleting IPSEC State #1411
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA(0xa84eab99) payload: deleting IPSEC State #1410
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
and ignored informational message
Jun 12 10:35:30 firesede pluto[23397]: "firesede-molo" #1409: received
Delete SA payload: deleting ISAKMP State #1409
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: responding
to Main Mode
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: transition
from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453:
STATE_MAIN_R1: sent MR1, expecting MI2
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453:
NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: transition
from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453:
STATE_MAIN_R2: sent MR2, expecting MI3
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: Main mode
peer ID is ID_IPV4_ADDR: '2.228.148.146'
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453: transition
from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jun 12 10:35:38 firesede pluto[23397]: "firesede-molo" #1453:
STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG
cipher=aes_128 prf=oakley_sha group=modp2048}
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1453: the peer
proposed: 192.168.40.0/24:0/0 -> 192.168.114.0/24:0/0
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: responding
to Quick Mode proposal {msgid:7b090de3}
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: us:
192.168.40.0/24===93.62.245.4<93.62.245.4>[+S=C]---93.62.245.1
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: them:
2.228.148.145---2.228.148.146<2.228.148.146>[+S=C]===192.168.114.0/24
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: keeping
refhim=4294901761 during rekey
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: transition
from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454:
STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454: transition
from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 12 10:35:39 firesede pluto[23397]: "firesede-molo" #1454:
STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9780252f
<0x0ca72632 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Jun 12 10:36:19 firesede pluto[23397]: "firesede-molo" #1460: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:fc38e88b proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:36:20 firesede pluto[23397]: "firesede-molo" #1460: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:36:20 firesede pluto[23397]: "firesede-molo" #1460:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x2cabecb2 <0xe93d42ae xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:37:07 firesede pluto[23397]: "firesede-molo" #1466: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:5bb7dcbe proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:07 firesede pluto[23397]: "firesede-molo" #1466: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:07 firesede pluto[23397]: "firesede-molo" #1466:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x8341243e <0x7e93c775 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1470: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:379170d7 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1471: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:f7a87bbd proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1472: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:0f47b37e proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1473: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:228cd4be proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:13 firesede pluto[23397]: "firesede-molo" #1474: initiating
Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW {using isakmp#1453
msgid:fa900eb4 proposal=defaults pfsgroup=OAKLEY_GROUP_MODP2048}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1470: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1470:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xeb8cad3a <0xfad665c8 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1471: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1471:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xdfe6e27c <0x3a4de664 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1472: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1472:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x933e0c8e <0xe779332a xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1473: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1473:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x0b4598b6 <0x01562469 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1474: transition
from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 12 10:37:14 firesede pluto[23397]: "firesede-molo" #1474:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0xd80eaea8 <0x81b9b6f3 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none
DPD=none}
It seems that the state won't go on the correct value.
I suspect that the cause is the instable connection....
Thanks
Regards
More information about the Users
mailing list