OpenSWAN VPN tul gyakori SA payload expire (?)

LiRul Thu, 10 Aug 2006 07:27:44 -0700

Hello!

Csinaltam egy VPN tunnelt, egyik oldala (left) egy  2.4.32-es kernel
ala belott OpenSWAN-2.4.4, masik vegen egy Draytek Vigor 2900V
DSL router. Megy minden szepen. Egyetlen ,,gondom'', hogy 5 percenkent
ugy tunik lejar az SA payload. (Bocs a hosszu sorokert.)


ipsec.conf
----------
conn iroda-lacika
        compress=no
        auth=esp
        right=86.101.xx.xx
        rightsubnet=10.0.1.0/24
        left=195.38.xx.xx
        leftsubnet=192.168.1.0/25
        authby=secret
        auto=auto
        keyingtries=1

auth.log
--------
Aug 10 16:09:01 a pluto[15702]: "a-b" #56: initiating Main Mode
Aug 10 16:09:01 a pluto[15702]: "a-b" #56: transition from state STATE_MAIN_I1 
to state STATE_MAIN_I2
Aug 10 16:09:01 a pluto[15702]: "a-b" #56: STATE_MAIN_I2: sent MI2, expecting 
MR2
Aug 10 16:09:02 a pluto[15702]: "a-b" #56: I did not send a certificate because 
I do not have one.
Aug 10 16:09:02 a pluto[15702]: "a-b" #56: transition from state STATE_MAIN_I2 
to state STATE_MAIN_I3
Aug 10 16:09:02 a pluto[15702]: "a-b" #56: STATE_MAIN_I3: sent MI3, expecting 
MR3
Aug 10 16:09:02 a pluto[15702]: "a-b" #56: Main mode peer ID is ID_IPV4_ADDR: 
'86.101.xx.xx'
Aug 10 16:09:02 a pluto[15702]: "a-b" #56: transition from state STATE_MAIN_I3 
to state STATE_MAIN_I4
Aug 10 16:09:02 a pluto[15702]: "a-b" #56: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
Aug 10 16:09:02 a pluto[15702]: "a-b" #57: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#56}
Aug 10 16:09:03 a pluto[15702]: "a-b" #57: transition from state STATE_QUICK_I1 
to state STATE_QUICK_I2
Aug 10 16:09:03 a pluto[15702]: "a-b" #57: STATE_QUICK_I2: sent QI2, IPsec SA 
established {ESP=>0x02040b5a <0x6cc8c027 xfrm=AES_0-HMAC_SHA1 NATD=none 
DPD=none}
Aug 10 16:14:03 a pluto[15702]: "a-b" #56: received Delete SA payload: replace 
IPSEC State #57 in 10 seconds
Aug 10 16:14:03 a pluto[15702]: "a-b" #56: received and ignored informational 
message
Aug 10 16:14:03 a pluto[15702]: "a-b" #56: received Delete SA payload: deleting 
ISAKMP State #56
Aug 10 16:14:03 a pluto[15702]: packet from 86.101.xx.xx:500: received and 
ignored informational message
Aug 10 16:14:13 a pluto[15702]: "a-b" #58: initiating Main Mode
Aug 10 16:14:13 a pluto[15702]: "a-b" #58: transition from state STATE_MAIN_I1 
to state STATE_MAIN_I2
Aug 10 16:14:13 a pluto[15702]: "a-b" #58: STATE_MAIN_I2: sent MI2, expecting 
MR2
Aug 10 16:14:14 a pluto[15702]: "a-b" #58: I did not send a certificate because 
I do not have one.
Aug 10 16:14:14 a pluto[15702]: "a-b" #58: transition from state STATE_MAIN_I2 
to state STATE_MAIN_I3
Aug 10 16:14:14 a pluto[15702]: "a-b" #58: STATE_MAIN_I3: sent MI3, expecting 
MR3
Aug 10 16:14:14 a pluto[15702]: "a-b" #58: Main mode peer ID is ID_IPV4_ADDR: 
'86.101.xx.xx'
Aug 10 16:14:14 a pluto[15702]: "a-b" #58: transition from state STATE_MAIN_I3 
to state STATE_MAIN_I4
Aug 10 16:14:14 a pluto[15702]: "a-b" #58: STATE_MAIN_I4: ISAKMP SA established 
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha 
group=modp1024}
Aug 10 16:14:14 a pluto[15702]: "a-b" #59: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#58}
Aug 10 16:14:15 a pluto[15702]: "a-b" #59: transition from state STATE_QUICK_I1 
to state STATE_QUICK_I2
Aug 10 16:14:15 a pluto[15702]: "a-b" #59: STATE_QUICK_I2: sent QI2, IPsec SA 
established {ESP=>0x02040b5b <0x6cc8c028 xfrm=AES_0-HMAC_SHA1 NATD=none 
DPD=none}

ipsec auto --status
-------------------
000 "a-b": 192.168.1.0/25===195.38.xx.xx...86.101.xx.xx===10.0.1.0/24; erouted; 
eroute owner: #53
000 "a-b":     srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec 
_updown;
000 "a-b":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; 
rekey_fuzz: 100%; keyingtries: 1
000 "a-b":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 25,24; interface: ppp0;
000 "a-b":   newest ISAKMP SA: #52; newest IPsec SA: #53;
000 "a-b":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #53: "a-b":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 27842s; newest IPSEC; eroute owner
000 #53: "a-b" [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL 
PROTECTED]
000 #52: "a-b":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 
2676s; newest ISAKMP; nodpd

Nem ugy tunik, mintha a Draytek kenyszeritene ki az esemenyt?  Nem
talaltam sehol sem 600 masodperces timeout-ot/lejarati idot. :-(

Koszi!
-- 
  LiRul                            http://www.hixsplit.hu/
  Un*x + HIX = hixsplit   Lehet, de nem erdemes nelkule...
_________________________________________________
linux lista      -      linux@mlf.linux.rulez.org
http://mlf2.linux.rulez.org/mailman/listinfo/linux

OpenSWAN VPN tul gyakori SA payload expire (?)

válasz