[Swan] Problem in reestablishment of an ipsec connection
Oguz Yilmaz
oguzyilmazlist at gmail.com
Tue Jan 1 14:38:44 EET 2013
Nothing changes. I have even rebooted the machine yesterday.
--
Oguz YILMAZ
On Tue, Jan 1, 2013 at 2:07 PM, Philippe Vouters
<philippe.vouters at laposte.net> wrote:
> Dear Oguz,
>
> Happy New Year. What does happen if you:
> 1/ /etc/init.d/network restart
> 2/ ipsec setup restart
> ????
>
> Philippe Vouters (Fontainebleau/France)
> URL: http://vouters.dyndns.org/
> SIP: sip:Vouters at sip.linphone.org
>
> Le 01/01/2013 07:58, Oguz Yilmaz a écrit :
>>
>> I have changed to singular definition and nothing changed.
>>
>> # ipsec setup restart
>> ipsec_setup: Stopping Openswan IPsec...
>> ipsec_setup: ERROR: Module xfrm6_mode_tunnel is in use
>> ipsec_setup: ERROR: Module xfrm4_mode_tunnel is in use
>> ipsec_setup: ERROR: Module esp4 is in use
>> ipsec_setup: Starting Openswan IPsec U2.6.33/K3.5.3...
>> ipsec_setup: multiple ip addresses, using LEFTEXTIP on eth9
>> ipsec_setup: /usr/libexec/ipsec/addconn Not able to open
>> /proc/sys/crypto/fips_enabled, returning non-fips mode
>>
>>
>> Note: esp4 module is in use even when I stop ipsec. rmmod does not work
>> either.
>>
>> Actually, I track thru tcpdump. Remote site never send reply for
>> isakmp process. Insteadi it continues to send esp packets related with
>> a previously opened ping command thru previous established spi.
>>
>> 08:51:10.519152 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>> 08:51:10.519158 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>> 08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf2), length 116
>> 08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf2), length 116
>> 08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf3), length 116
>> 08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf3), length 116
>> 08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf4), length 116
>> 08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf4), length 116
>> 08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf5), length 116
>> 08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf5), length 116
>> 08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf6), length 116
>> 08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
>> ESP(spi=0x23d4417b,seq=0x10cf6), length 116
>> 08:51:20.955840 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>> 08:51:20.955844 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>> 08:51:40.998708 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>> 08:51:40.998713 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>
>> Jan 1 08:47:58 2013 pluto[5960]: pending Quick Mode with RIGHTEXTIP
>> \"myvpn\" took too long -- replacing phase 1
>>
>>
>>
>> --
>> Oguz YILMAZ
>>
>>
>> On Tue, Jan 1, 2013 at 4:02 AM, Paul Wouters <paul at nohats.ca> wrote:
>>>
>>> On Tue, 1 Jan 2013, Oguz Yilmaz wrote:
>>>
>>>> Dec 31 15:10:13 2012 pluto[21253]: \"myvpn/0x1\" #24: STATE_QUICK_R2:
>>>> IPsec SA established tunnel mode {ESP=>0x4888824c <0x23d4417b
>>>> xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
>>>
>>>
>>>> rightsubnets={10.0.0.0/8}
>>>
>>>
>>> This syntax truggers the alias code, which might not be expecting only
>>> one entry. Can you change this to:
>>>
>>> rightsubnet=10.0.0.0/8
>>>
>>> Note the singular subnet, not the plural subnetS
>>>
>>> Then do a full restart, eg ipsec setup restart. If that fails, you
>>> might need to share a little bit more log information.
>>>
>>> Paul
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>
More information about the Swan
mailing list