OK, we've had our test DCD-DCD, gw-gw vpn up continuously for several
weeks. In fact, I used it earlier this evening to transfer files.
Of a sudden, the tunnel no longer functioned!
This is what we saw:
root@bluetrout:/var/log
# ipsec eroute
192.168.1.0/24 -> 192.168.123.0/24 => %hold (21)
root@trout:/var/log
# ipsec eroute
192.168.123.0/24 -> 192.168.1.0/24 => %hold (34)
Where are these documented?
And, this in /var/log/auth.log:
Feb 2 20:24:15 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Main Mode message is part of an unknown exchange
Feb 2 20:24:15 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Feb 2 20:24:16 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Main Mode message is part of an unknown exchange
Feb 2 20:24:16 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Main Mode message is part of an unknown exchange
Feb 2 20:24:17 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Quick Mode message is for a non-existent (expired?) ISAKMP SA
Feb 2 20:24:17 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Main Mode message is part of an unknown exchange
Feb 2 20:24:17 bluetrout Pluto[25694]: packet from 12.248.253.86:500:
Main Mode message is part of an unknown exchange
Feb 2 20:24:17 bluetrout Pluto[25694]: "trout" #756: discarding
duplicate packet; already STATE_MAIN_I2
Feb 2 20:24:15 trout Pluto[8589]: "bluetrout" #1444: STATE_MAIN_R3:
sent MR3, ISAKMP SA established
Feb 2 20:24:15 trout Pluto[8589]: "bluetrout" #1438: max number of
retransmissions (2) reached STATE_MAIN_R1
Feb 2 20:24:15 trout Pluto[8589]: "bluetrout" #1437: max number of
retransmissions (2) reached STATE_QUICK_I1
Feb 2 20:24:15 trout Pluto[8589]: "bluetrout" #1437: starting keying
attempt 25 of an unlimited number
Feb 2 20:24:15 trout Pluto[8589]: "bluetrout" #1445: initiating Quick
Mode RSASIG+ENCRYPT+TUNNEL+PFS
Feb 2 20:24:16 trout Pluto[8589]: "bluetrout" #1339: ISAKMP SA expired
(superseded by #1444)
Feb 2 20:24:16 trout Pluto[8589]: "bluetrout" #1347: not replacing
stale ISAKMP SA: #1444 will do
Feb 2 20:24:16 trout Pluto[8589]: "bluetrout" #1444: retransmitting in
response to duplicate packet; already STATE_MAIN_R3
Feb 2 20:24:16 trout Pluto[8589]: "bluetrout" #1444: retransmitting in
response to duplicate packet; already STATE_MAIN_R3
Feb 2 20:24:16 trout Pluto[8589]: "bluetrout" #1446: responding to Main
Mode
Feb 2 20:24:17 trout Pluto[8589]: "bluetrout" #1447: responding to Main
Mode
We tried cycling both sides, without successful reconnection:
root@bluetrout:/var/log
# ipsec auto --down trout
# ipsec auto --up trout
root@trout:/var/log
# ipsec auto --down trout
# ipsec auto --up trout
We tried completely cycling ipsec:
root@bluetrout:/var/log
# ipsec auto --down trout
# svi ipsec --stop
# svi ipsec --start
# ipsec auto --up trout
root@trout:/var/log
# ipsec auto --down trout
# svi ipsec --stop
# svi ipsec --start
# ipsec auto --up trout
Then, we got this:
root@bluetrout:/var/log
# ipsec eroute
192.168.1.0/24 -> 192.168.123.0/24 => %trap (0)
root@trout:/var/log
# ipsec eroute
192.168.123.0/24 -> 192.168.1.0/24 => %trap (0)
Where are these documented?
Finally, we stopped ipsec, reloaded the entire network, then restarted
ipsec:
root@bluetrout:/var/log
# ipsec auto --down trout
# svi ipsec --stop
# svi network reload
# svi ipsec --start
# ipsec auto --up trout
root@trout:/var/log
# ipsec auto --down trout
# svi ipsec --stop
# svi network reload
# svi ipsec --start
# ipsec auto --up trout
Now, we see this, as expected:
root@bluetrout:/root
# ipsec eroute
8 192.168.1.0/24 -> 192.168.123.0/24 =>
[EMAIL PROTECTED]
root@trout:/var/log
# ipsec eroute
8 192.168.123.0/24 -> 192.168.1.0/24 =>
[EMAIL PROTECTED]
What have we done that could have precipitated this?
[1] Weird messages began appearing in /etc/auth.log here:
Jan 30 18:39:39 bluetrout Pluto[25694]: "trout" #201: max number of
retransmissions (2) reached STATE_MAIN_I3. Possible authentication
failure: no acceptable response to our first encrypted message
Began seeing consecutive instances, like this, here:
Jan 30 18:40:29 trout Pluto[8589]: "bluetrout" #202: responding to Main
Mode
Jan 30 18:40:29 trout Pluto[8589]: "bluetrout" #203: responding to Main
Mode
Jan 30 18:40:29 trout Pluto[8589]: "bluetrout" #204: responding to Main
Mode
And, began seeing this here:
Jan 30 18:46:59 trout Pluto[8589]: "bluetrout" #203: max number of
retransmissions (2) reached STATE_MAIN_R1
Jan 30 18:46:59 trout Pluto[8589]: "bluetrout" #202: max number of
retransmissions (2) reached STATE_MAIN_R1
[2] root@bluetrout:/var/log
# ipchains -nvL | grep 5[01]
root@trout:/var/log
# ipchains -nvL | grep 5[01]
Each system had four (4) pairs of ACCEPT's for each of protocol 50 &
51 at the top, as well as another further down, from /etc/network.conf.
[3] Yesterday afternoon, we began using this to allow each gateway to
communicate with the other via the tunnel:
# bluetrout
ip route change 192.168.123.0/24 via 64.4.x.z src 192.168.1.254 dev
ipsec0
# trout
ip route change 192.168.1.0/24 via 12.248.c.d src 192.168.123.254 dev
ipsec0
What is going on here?
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
