[Swan] Problem in reestablishment of an ipsec connection

Philippe Vouters philippe.vouters at laposte.net
Tue Jan 1 14:07:09 EET 2013 

Dear Oguz,

Happy New Year. What does happen if you:
1/ /etc/init.d/network restart
2/ ipsec setup restart
????

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 01/01/2013 07:58, Oguz Yilmaz a écrit :
> I have changed to singular definition and nothing changed.
>
> # ipsec setup restart
> ipsec_setup: Stopping Openswan IPsec...
> ipsec_setup: ERROR: Module xfrm6_mode_tunnel is in use
> ipsec_setup: ERROR: Module xfrm4_mode_tunnel is in use
> ipsec_setup: ERROR: Module esp4 is in use
> ipsec_setup: Starting Openswan IPsec U2.6.33/K3.5.3...
> ipsec_setup: multiple ip addresses, using  LEFTEXTIP on eth9
> ipsec_setup: /usr/libexec/ipsec/addconn Not able to open
> /proc/sys/crypto/fips_enabled, returning non-fips mode
>
>
> Note: esp4 module is in use even when I stop ipsec. rmmod does not work either.
>
> Actually, I track thru tcpdump. Remote site never send reply for
> isakmp process. Insteadi it continues to send esp packets related with
> a previously opened ping command thru previous established spi.
>
> 08:51:10.519152 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
> 08:51:10.519158 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
> 08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf2), length 116
> 08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf2), length 116
> 08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf3), length 116
> 08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf3), length 116
> 08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf4), length 116
> 08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf4), length 116
> 08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf5), length 116
> 08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf5), length 116
> 08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf6), length 116
> 08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
> ESP(spi=0x23d4417b,seq=0x10cf6), length 116
> 08:51:20.955840 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
> 08:51:20.955844 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
> 08:51:40.998708 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
> 08:51:40.998713 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>
> Jan  1 08:47:58 2013 pluto[5960]: pending Quick Mode with RIGHTEXTIP
> \"myvpn\" took too long -- replacing phase 1
>
>
>
> --
> Oguz YILMAZ
>
>
> On Tue, Jan 1, 2013 at 4:02 AM, Paul Wouters <paul at nohats.ca> wrote:
>> On Tue, 1 Jan 2013, Oguz Yilmaz wrote:
>>
>>> Dec 31 15:10:13 2012 pluto[21253]: \"myvpn/0x1\" #24: STATE_QUICK_R2:
>>> IPsec SA established tunnel mode {ESP=>0x4888824c <0x23d4417b
>>> xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
>>
>>>         rightsubnets={10.0.0.0/8}
>>
>> This syntax truggers the alias code, which might not be expecting only
>> one entry. Can you change this to:
>>
>>          rightsubnet=10.0.0.0/8
>>
>> Note the singular subnet, not the plural subnetS
>>
>> Then do a full restart, eg ipsec setup restart. If that fails, you
>> might need to share a little bit more log information.
>>
>> Paul
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list