Hi Jean-Francois,
> could you check who many tunnels are setup in the kernel, the right
> number i believe. Does the selector (SPD) matches what's been negotiated
> between openswan and isakmpd ?
Looks like the original problem is not reproducable. It might have been a
side effect of the second problem i have (however, i'm still not sure if
OpenSwan or isakmpd is the one to blame here):
OpenSwan (road warrior) <---> isakmpd (fixed address A.B.C.D)
One tunnel defined (net1 <-> net2)
Estblishing the connection works OK.
OpenSwan output:
[EMAIL PROTECTED]:~# ipsec auto --status
000 interface ipsec0/ppp0 84.178.106.33
[...]
000 #2: "colab":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 28098s; newest IPSEC; eroute owner
000 #2: "colab" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #1: "colab":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2874s; newest ISAKMP; lastdpd=3s(seq in:30589 out:0)
000
isakmpd:
# setkey -D | more
84.178.106.33 A.B.C.D
esp mode=tunnel spi=1787212810(0x6a86b40a) reqid=0(0x00000000)
E: aes-cbc 403b6d34 e1616004 2a9193da 733215ad 122c0226 903aaeea
4087870c ca57d4b4
A: hmac-sha1 f8a36d4b fb89bd67 3521d5e0 3500a679 e32333e6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 6 16:53:44 2006 current: Jan 6 16:54:22 2006
diff: 38(s) hard: 28800(s) soft: 25920(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=23263 refcnt=0
A.B.C.D 84.178.106.33
esp mode=tunnel spi=3031293149(0xb4addcdd) reqid=0(0x00000000)
E: aes-cbc 8067521a d19959c1 27c5c4ea f46eaedf 634f4cc5 c059bcbc
42194800 4f40b437
A: hmac-sha1 d8e73654 fd41cfde 79150a54 cc0b17e7 6ff3dca4
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 6 16:53:43 2006 current: Jan 6 16:54:22 2006
diff: 39(s) hard: 28800(s) soft: 25920(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=23263 refcnt=0
# setkey -DP | more
net1[any] net2[any] any
in ipsec
esp/tunnel/84.178.106.33-A.B.C.D/use
created: Jan 6 16:53:44 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3960 seq=25 pid=23288
refcnt=1
net2[any] net1[any] any
out ipsec
esp/tunnel/A.B.C.D-84.178.106.33/require
created: Jan 6 16:53:44 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3953 seq=24 pid=23288
refcnt=1
Now the roadwarrior is disconnected by the carrier and reconnects with a
different IP address (simulated by a reboot of the OpenWRT box/OpenSwan):
OpenSwan output:
[EMAIL PROTECTED]:~# ipsec auto --status
000 interface ipsec0/ppp0 84.178.127.193
[...]
000 #2: "colab":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 27965s; newest IPSEC; eroute owner
000 #2: "colab" [EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
000 #1: "colab":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 2944s; newest ISAKMP; lastdpd=4s(seq in:31921 out:0)
isakmpd:
# setkey -D | more
84.178.127.193 A.B.C.D
esp mode=tunnel spi=776575429(0x2e4999c5) reqid=0(0x00000000)
E: aes-cbc 876889c8 d2c133ae 33ed52d3 7cb86f5f 9187dc2a d13dfa5a
9ff4ccc5 da5971a9
A: hmac-sha1 75b80006 6fc795d2 a812cf33 83132101 7f43c8ec
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 6 17:01:07 2006 current: Jan 6 17:03:02 2006
diff: 115(s) hard: 28800(s) soft: 25920(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=3 pid=23330 refcnt=0
84.178.106.33 A.B.C.D
esp mode=tunnel spi=1787212810(0x6a86b40a) reqid=0(0x00000000)
E: aes-cbc 403b6d34 e1616004 2a9193da 733215ad 122c0226 903aaeea
4087870c ca57d4b4
A: hmac-sha1 f8a36d4b fb89bd67 3521d5e0 3500a679 e32333e6
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 6 16:53:44 2006 current: Jan 6 17:03:02 2006
diff: 558(s) hard: 28800(s) soft: 25920(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=23330 refcnt=0
A.B.C.D 84.178.106.33
esp mode=tunnel spi=3031293149(0xb4addcdd) reqid=0(0x00000000)
E: aes-cbc 8067521a d19959c1 27c5c4ea f46eaedf 634f4cc5 c059bcbc
42194800 4f40b437
A: hmac-sha1 d8e73654 fd41cfde 79150a54 cc0b17e7 6ff3dca4
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 6 16:53:43 2006 current: Jan 6 17:03:02 2006
diff: 559(s) hard: 28800(s) soft: 25920(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=23330 refcnt=0
A.B.C.D 84.178.127.193
esp mode=tunnel spi=83161463(0x04f4f177) reqid=0(0x00000000)
E: aes-cbc 865aef4f 11a54abb 73fc05bc 31cc7c24 179427bc 402ed538
c18aa856 0ce1276c
A: hmac-sha1 046b5bcf 0817191b 0ce33654 ec7a2ab7 3cf95e97
seq=0x00000000 replay=0 flags=0x00000000 state=mature
created: Jan 6 17:01:06 2006 current: Jan 6 17:03:02 2006
diff: 116(s) hard: 28800(s) soft: 25920(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=23330 refcnt=0
# setkey -DP | more
net1[any] net2[any] any
in ipsec
esp/tunnel/84.178.106.33-A.B.C.D/use
created: Jan 6 16:53:44 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3960 seq=25 pid=23332
refcnt=1
net2[any] net1[any] any
out ipsec
esp/tunnel/A.B.C.D-84.178.106.33/require
created: Jan 6 16:53:44 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3953 seq=24 pid=23332
refcnt=1
Although new ISAKMP and IPSEC SAs have been established, the SPD entries
are not updated (still pointing to the old IP address).
Thanks,
Jochen
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
