[Swan] Problem in reestablishment of an ipsec connection

Philippe Vouters philippe.vouters at laposte.net
Tue Jan 1 14:48:19 EET 2013 

Can you share more of the ipsec log file ? tcpdump traces do not help 
the Openswan maintainers in this case to actually figure what can be 
going wrong.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

Le 01/01/2013 13:38, Oguz Yilmaz a écrit :
> Nothing changes. I have even rebooted the machine yesterday.
>
> --
> Oguz YILMAZ
>
>
> On Tue, Jan 1, 2013 at 2:07 PM, Philippe Vouters
> <philippe.vouters at laposte.net> wrote:
>> Dear Oguz,
>>
>> Happy New Year. What does happen if you:
>> 1/ /etc/init.d/network restart
>> 2/ ipsec setup restart
>> ????
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL: http://vouters.dyndns.org/
>> SIP: sip:Vouters at sip.linphone.org
>>
>> Le 01/01/2013 07:58, Oguz Yilmaz a écrit :
>>> I have changed to singular definition and nothing changed.
>>>
>>> # ipsec setup restart
>>> ipsec_setup: Stopping Openswan IPsec...
>>> ipsec_setup: ERROR: Module xfrm6_mode_tunnel is in use
>>> ipsec_setup: ERROR: Module xfrm4_mode_tunnel is in use
>>> ipsec_setup: ERROR: Module esp4 is in use
>>> ipsec_setup: Starting Openswan IPsec U2.6.33/K3.5.3...
>>> ipsec_setup: multiple ip addresses, using  LEFTEXTIP on eth9
>>> ipsec_setup: /usr/libexec/ipsec/addconn Not able to open
>>> /proc/sys/crypto/fips_enabled, returning non-fips mode
>>>
>>>
>>> Note: esp4 module is in use even when I stop ipsec. rmmod does not work
>>> either.
>>>
>>> Actually, I track thru tcpdump. Remote site never send reply for
>>> isakmp process. Insteadi it continues to send esp packets related with
>>> a previously opened ping command thru previous established spi.
>>>
>>> 08:51:10.519152 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>> 08:51:10.519158 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>> 08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf2), length 116
>>> 08:51:13.531732 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf2), length 116
>>> 08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf3), length 116
>>> 08:51:14.531251 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf3), length 116
>>> 08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf4), length 116
>>> 08:51:15.531327 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf4), length 116
>>> 08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf5), length 116
>>> 08:51:16.531339 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf5), length 116
>>> 08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf6), length 116
>>> 08:51:17.531125 IP RIGHTEXTIP > LEFTEXTIP:
>>> ESP(spi=0x23d4417b,seq=0x10cf6), length 116
>>> 08:51:20.955840 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>> 08:51:20.955844 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>> 08:51:40.998708 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>> 08:51:40.998713 IP LEFTEXTIP.500 > RIGHTEXTIP.500: isakmp: phase 1 I ident
>>>
>>> Jan  1 08:47:58 2013 pluto[5960]: pending Quick Mode with RIGHTEXTIP
>>> \"myvpn\" took too long -- replacing phase 1
>>>
>>>
>>>
>>> --
>>> Oguz YILMAZ
>>>
>>>
>>> On Tue, Jan 1, 2013 at 4:02 AM, Paul Wouters <paul at nohats.ca> wrote:
>>>> On Tue, 1 Jan 2013, Oguz Yilmaz wrote:
>>>>
>>>>> Dec 31 15:10:13 2012 pluto[21253]: \"myvpn/0x1\" #24: STATE_QUICK_R2:
>>>>> IPsec SA established tunnel mode {ESP=>0x4888824c <0x23d4417b
>>>>> xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
>>>>
>>>>>          rightsubnets={10.0.0.0/8}
>>>>
>>>> This syntax truggers the alias code, which might not be expecting only
>>>> one entry. Can you change this to:
>>>>
>>>>           rightsubnet=10.0.0.0/8
>>>>
>>>> Note the singular subnet, not the plural subnetS
>>>>
>>>> Then do a full restart, eg ipsec setup restart. If that fails, you
>>>> might need to share a little bit more log information.
>>>>
>>>> Paul
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org
>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>

More information about the Swan mailing list