Note: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] Failure to negotiate a connection after rebuilding one end of VPN tunnel

From: David Gressett (gresset1_at_airmail.net)
Date: Tue May 07 2002 - 21:42:16 CEST

Next message: Michael T. Babcock: "Re: [Users] Device going down, coming back up"
Previous message: Andreas Haumer: "[Users] Pluto terminating with illegal instruction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I had two private nets connected by two Linux machines running kernel 2.4.8
and FreeSWAN 1.91. Everything worked fine.

Then the Linux router on the left end croaked - complete disk failure. The
backup could not be found to restore to the replacement.

So I rebuilt the left end from scratch. I got the basic networking working
fine, and then tried to restart the connection.
(I had to put a new leftrsasigkey in ipsec.conf because the old secrets
file was replaced with a new one.) I then tried to restart the VPN tunnel.

No joy. It doesn't work. Something didn't get put back just the way it was,
and I can't find the problem.

I turned on Pluto debugging.

I get this when starting connection with ipsec auto --up

104 "my-connection" #7: STATE_MAIN_I1: initiate
106 "my-connection" #7: STATE_MAIN_I2: from STATE_MAIN_I1; sent MI2,
expecting MR2
108 "my-connection" #7: STATE_MAIN_I3: from STATE_MAIN_I2; sent MI3,
expecting MR3
004 "my-connection" #7: STATE_MAIN_I4: ISAKMP SA established
112 "my-connection" #8: STATE_QUICK_I1: initiate
003 "my-connection" #8: route-client command exited with status 7
032 "my-connection" #8: STATE_QUICK_I1: internal error
010 "my-connection" #8: STATE_QUICK_I1: retransmission; will wait 20s for
response
003 "my-connection" #8: route-client command exited with status 7
032 "my-connection" #8: STATE_QUICK_I1: internal error
010 "my-connection" #8: STATE_QUICK_I1: retransmission; will wait 40s for
response
003 "my-connection" #8: route-client command exited with status 7
032 "my-connection" #8: STATE_QUICK_I1: internal error
031 "my-connection" #8: max number of retransmissions (2) reached
STATE_QUICK_I1
000 "my-connection" #8: starting keying attempt 2 of an unlimited number,
but releasing whack

in /var/log/secure I find this:

May 7 13:00:46 lefthost Pluto[984]: | executing up-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='up-client'
PLUTO_CONNECTION='denton-ardmore' PLUTO_NEXT_HOP='XXX.XXX.XXX.61'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='XXX.XXX.XXX.162'
PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='XXX.XXX.XXX.158'
PLUTO_PEER_CLIENT='192.168.4.0/24' PLUTO_PEER_CLIENT_NET='192.168.4.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' ipsec _updown
May 7 13:00:46 lefthost Pluto[984]: | executing prepare-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='prepare-client'
PLUTO_CONNECTION='denton-ardmore' PLUTO_NEXT_HOP='XXX.XXX.XXX.61'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='XXX.XXX.XXX.162'
PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='XXX.XXX.XXX.158'
PLUTO_PEER_CLIENT='192.168.4.0/24' PLUTO_PEER_CLIENT_NET='192.168.4.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' ipsec _updown
May 7 13:00:46 lefthost Pluto[984]: | executing route-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='route-client'
PLUTO_CONNECTION='denton-ardmore' PLUTO_NEXT_HOP='XXX.XXX.XXX.61'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='XXX.XXX.XXX.162'
PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='XXX.XXX.XXX.158'
PLUTO_PEER_CLIENT='192.168.4.0/24' PLUTO_PEER_CLIENT_NET='192.168.4.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' ipsec _updown
May 7 13:00:46 lefthost Pluto[984]: my-connection #4: route-client output:
SIOCADDRT: Network is unreachable
May 7 13:00:46 lefthost Pluto[984]: my-connection #4: route-client output:
/usr/local/lib/ipsec/_updown: `route add -net 192.168.4.0 netmask
255.255.255.0' failed
May 7 13:00:46 lefthost Pluto[984]: my-connection #4: route-client command
exited with status 7
May 7 13:00:46 lefthost Pluto[984]: | executing down-client: 2>&1
PLUTO_VERSION='1.1' PLUTO_VERB='down-client'
PLUTO_CONNECTION='denton-ardmore' PLUTO_NEXT_HOP='XXX.XXX.XXX.61'
PLUTO_INTERFACE='ipsec0' PLUTO_ME='XXX.XXX.XXX.162'
PLUTO_MY_CLIENT='192.168.0.0/24' PLUTO_MY_CLIENT_NET='192.168.0.0'
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_PEER='XXX.XXX.XXX.158'
PLUTO_PEER_CLIENT='192.168.4.0/24' PLUTO_PEER_CLIENT_NET='192.168.4.0'
PLUTO_PEER_CLIENT_MASK='255.255.255.0' ipsec _updown
May 7 13:00:46 lefthost Pluto[984]: | delete eroute 192.168.0.0/24 to
192.168.4.0/24 via tun.1010_at_XXX.XXX.XXX.158
May 7 13:00:46 lefthost Pluto[984]: | finish_pfkey_msg: SADB_X_DELFLOW
message 82 for flow tun.1010_at_XXX.XXX.XXX.158

There is a conspicuous problem with the route-client, but I have no idea
what is causing it.

What should I look for? this has to be a screwup in a configuration file
somewhere.

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

Next message: Michael T. Babcock: "Re: [Users] Device going down, coming back up"
Previous message: Andreas Haumer: "[Users] Pluto terminating with illegal instruction"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:19:57 CEST