[Swan] Problem in reestablishment of an ipsec connection

Oguz Yilmaz oguzyilmazlist at gmail.com
Tue Jan 1 08:58:10 EET 2013


I have changed to singular definition and nothing changed.

# ipsec setup restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: ERROR: Module xfrm6_mode_tunnel is in use
ipsec_setup: ERROR: Module xfrm4_mode_tunnel is in use
ipsec_setup: ERROR: Module esp4 is in use
ipsec_setup: Starting Openswan IPsec U2.6.33/K3.5.3...
ipsec_setup: multiple ip addresses, using  LEFTEXTIP on eth9
ipsec_setup: /usr/libexec/ipsec/addconn Not able to open
/proc/sys/crypto/fips_enabled, returning non-fips mode


Note: esp4 module is in use even when I stop ipsec. rmmod does not work either.

Actually, I track thru tcpdump. Remote site never send reply for
isakmp process. Insteadi it continues to send esp packets related with
a previously opened ping command thru previous established spi.

08:51:10.519152 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
08:51:10.519158 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf2), length 116
08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf2), length 116
08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf3), length 116
08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf3), length 116
08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf4), length 116
08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf4), length 116
08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf5), length 116
08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf5), length 116
08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf6), length 116
08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
ESP(spi=0x23d4417b,seq=0x10cf6), length 116
08:51:20.955840 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
08:51:20.955844 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
08:51:40.998708 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
08:51:40.998713 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident

Jan  1 08:47:58 2013 pluto[5960]: pending Quick Mode with RIGHTEXTIP
\"myvpn\" took too long -- replacing phase 1



--
Oguz YILMAZ


On Tue, Jan 1, 2013 at 4:02 AM, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 1 Jan 2013, Oguz Yilmaz wrote:
>
>> Dec 31 15:10:13 2012 pluto[21253]: \"myvpn/0x1\" #24: STATE_QUICK_R2:
>> IPsec SA established tunnel mode {ESP=>0x4888824c <0x23d4417b
>> xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
>
>
>>        rightsubnets={10.0.0.0/8}
>
>
> This syntax truggers the alias code, which might not be expecting only
> one entry. Can you change this to:
>
>         rightsubnet=10.0.0.0/8
>
> Note the singular subnet, not the plural subnetS
>
> Then do a full restart, eg ipsec setup restart. If that fails, you
> might need to share a little bit more log information.
>
> Paul


More information about the Swan mailing list