OpenSwan IPsec connection drops after 30 seconds

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by drcore on Server Fault See other posts from Server Fault or by drcore
Published on 2014-08-23T15:34:16Z Indexed on 2014/08/23 16:23 UTC
Read the original article Hit count: 621

Filed under:
|
|
|
|

I'm trying to connection from my Linux Mint 16 box to a CloudStack server. Building up the connection works (pings work across the tunnel). However 30 seconds later the IPsec tunnel gets terminated out of the blue. What could cause this consistent behaviour and how to fix it?

The tunnel is setup using OpenSwan (U2.6.38/K(no kernel code presently loaded)) with the L2TP IPsec VPN manager from Werner Jaeger 1.0.9. The client is behind a NAT'ed router and the server is on public IP (CloudStack 4.2)

Running ipsec verify complains about IPsec support in kernel. Not sure if this is a problem as the connection is being build up:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K(no kernel code presently loaded)
Checking for IPsec support in kernel                            [FAILED]
 SAref kernel support                                           [N/A]
Checking that pluto is running                                  [FAILED]
  whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Tunnel config:

version 2.0 # conforms to second version of ipsec.conf specification

config setup
    # plutodebug="parsing emitting control private"
    plutodebug=none
    strictcrlpolicy=no
    nat_traversal=yes
    interfaces=%defaultroute
    oe=off
    # which IPsec stack to use. netkey,klips,mast,auto or none
    protostack=netkey

conn %default
    keyingtries=3
    pfs=no
    rekey=yes
    type=transport
    left=%defaultroute
    leftprotoport=17/1701
    rightprotoport=17/1701

conn Tunnel1
   authby=secret

    right=37.48.75.97
    rightid=""
    auto=add

Log file of VPN connection build up:

aug. 23 17:12:54.708 ipsec_setup: Starting Openswan IPsec U2.6.38/K3.11.0-12-generic...
aug. 23 17:12:55.155 ipsec_setup: multiple ip addresses, using  192.168.178.32 on eth0
aug. 23 17:12:55.165 ipsec__plutorun: Starting Pluto subsystem...
aug. 23 17:12:55.174 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
aug. 23 17:12:55.177 recvref[30]: Protocol not available
aug. 23 17:12:55.177 xl2tpd[14339]: This binary does not support kernel L2TP.
aug. 23 17:12:55.178 Starting xl2tpd: xl2tpd.
aug. 23 17:12:55.178 xl2tpd[14345]: xl2tpd version xl2tpd-1.3.1 started on desktopmint PID:14345
aug. 23 17:12:55.178 xl2tpd[14345]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
aug. 23 17:12:55.179 xl2tpd[14345]: Forked by Scott Balmos and David Stipp, (C) 2001
aug. 23 17:12:55.179 xl2tpd[14345]: Inherited by Jeff McAdams, (C) 2002
aug. 23 17:12:55.179 xl2tpd[14345]: Forked again by Xelerance (www.xelerance.com) (C) 2006
aug. 23 17:12:55.180 xl2tpd[14345]: Listening on IP address 0.0.0.0, port 1701
aug. 23 17:12:55.214 ipsec__plutorun: 002 added connection description "Tunnel1"
aug. 23 17:13:15.532 104 "Tunnel1" #1: STATE_MAIN_I1: initiate
aug. 23 17:13:15.532 003 "Tunnel1" #1: ignoring unknown Vendor ID payload [4f45755c645c6a795c5c6170]
aug. 23 17:13:15.532 003 "Tunnel1" #1: received Vendor ID payload [Dead Peer Detection]
aug. 23 17:13:15.533 003 "Tunnel1" #1: received Vendor ID payload [RFC 3947] method set to=115 
aug. 23 17:13:15.533 106 "Tunnel1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
aug. 23 17:13:15.534 003 "Tunnel1" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): i am NATed
aug. 23 17:13:15.534 108 "Tunnel1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
aug. 23 17:13:15.534 010 "Tunnel1" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
aug. 23 17:13:15.545 003 "Tunnel1" #1: received Vendor ID payload [CAN-IKEv2]
aug. 23 17:13:15.547 004 "Tunnel1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp2048}
aug. 23 17:13:15.547 117 "Tunnel1" #2: STATE_QUICK_I1: initiate
aug. 23 17:13:15.547 010 "Tunnel1" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
aug. 23 17:13:15.548 004 "Tunnel1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0x0ecef28b <0x3e1fbe3b xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
aug. 23 17:13:16.549 xl2tpd[14345]: Connecting to host <VPN gateway>, port 1701
aug. 23 17:13:18.576 xl2tpd[14345]: Connection established to <VPN gateway>, 1701.  Local: 21163, Remote: 12074 (ref=0/0).
aug. 23 17:13:18.576 xl2tpd[14345]: Calling on tunnel 21163
aug. 23 17:13:18.577 xl2tpd[14345]: check_control: Received out of order control packet on tunnel 12074 (got 0, expected 1)
aug. 23 17:13:18.577 xl2tpd[14345]: handle_packet: bad control packet!
aug. 23 17:13:18.577 xl2tpd[14345]: check_control: Received out of order control packet on tunnel 12074 (got 0, expected 1)
aug. 23 17:13:18.577 xl2tpd[14345]: handle_packet: bad control packet!
aug. 23 17:13:18.599 xl2tpd[14345]: Call established with <VPN gateway>, Local: 39035, Remote: 57266, Serial: 1 (ref=0/0)
aug. 23 17:13:18.605 xl2tpd[14345]: start_pppd: I'm running: 
aug. 23 17:13:18.605 xl2tpd[14345]: "/usr/sbin/pppd" 
aug. 23 17:13:18.606 xl2tpd[14345]: "passive" 
aug. 23 17:13:18.606 xl2tpd[14345]: "nodetach" 
aug. 23 17:13:18.606 xl2tpd[14345]: ":" 
aug. 23 17:13:18.606 xl2tpd[14345]: "file" 
aug. 23 17:13:18.606 xl2tpd[14345]: "/etc/ppp/Tunnel1.options.xl2tpd" 
aug. 23 17:13:18.606 xl2tpd[14345]: "ipparam" 
aug. 23 17:13:18.607 xl2tpd[14345]: "<VPN gateway>" 
aug. 23 17:13:18.607 xl2tpd[14345]: "/dev/pts/4" 
aug. 23 17:13:18.607 pppd[14438]: Plugin passprompt.so loaded.
aug. 23 17:13:18.607 pppd[14438]: pppd 2.4.5 started by root, uid 0
aug. 23 17:13:18.608 pppd[14438]: Using interface ppp0
aug. 23 17:13:18.608 pppd[14438]: Connect: ppp0 <--> /dev/pts/4
aug. 23 17:13:21.650 pppd[14438]: CHAP authentication succeeded: Access granted
aug. 23 17:13:21.651 pppd[14438]: CHAP authentication succeeded
aug. 23 17:13:21.692 pppd[14438]: local  IP address 10.1.2.2
aug. 23 17:13:21.693 pppd[14438]: remote IP address 10.1.2.1
aug. 23 17:13:21.693 pppd[14438]: primary   DNS address 10.1.2.1
aug. 23 17:13:21.694 pppd[14438]: secondary DNS address 10.1.2.1

aug. 23 17:13:46.528 Stopping xl2tpd: xl2tpd.
aug. 23 17:13:46.528 xl2tpd[14345]: death_handler: Fatal signal 15 received
aug. 23 17:13:46.529 pppd[14438]: Modem hangup
aug. 23 17:13:46.529 pppd[14438]: Connect time 0.5 minutes.
aug. 23 17:13:46.529 pppd[14438]: Sent 1866 bytes, received 1241 bytes.
aug. 23 17:13:46.529 pppd[14438]: Connection terminated.
aug. 23 17:13:46.562 ipsec_setup: Stopping Openswan IPsec...
aug. 23 17:13:46.576 pppd[14438]: Exit.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about linux

Related posts about ipsec

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle