From: Andreas Steffen (andreas.steffen_at_strongsec.net)
Date: Fri Oct 11 2002 - 22:12:20 CEST
The warning "no phase 1 state where one should be" stems from
an incomplete implementation of the Delete Notification
support that I inherited from Kai Martius and that I carried
along in the X.509 patch for a long time. The latest versions
of my patch don't contain this code any more since Delete
Notifications are now fully implemented by Mathieu Lafon's
patch which can be applied to FreeS/WAN with X.509 support.
Kind regards
Andreas
Marcus Blomenkamp wrote:
> Hi there.
>
> I've got a slight problem with an annoying warning in the logs.
> However the connection is working fine. What does this line mean?
> How can I get rid of this?
>
> About my scenario: I've got some kind of server and a number of
> clients authenticated by x509 certificates. The server just sits
> waiting for connections and the clients connect to server on
> startup - the classical RW scene. However regularly some clients
> will be booted into an OS without proper IPSec support and have to
> communicate with/to the same IP address, so I want the server to
> forget about dangling connctions quickly. Might be the right case
> for the dead-end-detection patch, but currently I'll have to go
> without. So all I did was minimizing lifetime variables on the
> server, while keeping clients variables on freeswans default
> values. This is working without glitches so far, but again: What's
> up with this warning message?
>
> Below are excerpts from ipsecs status output and the logging system.
> The clocks are not synchronized because the client is a testbed
> system running under Usermode-Linux, but this should not matter
> anyway. System is based on Debian Woody, Kernel is 2.4.19 + Debians
> freeswan patch (1.96 + x509-0.9.9 + ???).
>
> Maybe someone can shed some light on this, Marcus
>
> Server log:
> Oct 5 11:15:46 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #907:
> initiating Main Mode to replace #905
> Oct 5 11:15:46 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #907:
> Peer ID is ID_DER_ASN1_DN: 'O=Keller, OU=Host, CN=test.keller'
> Oct 5 11:15:46 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #907:
> ISAKMP SA established
> Oct 5 11:16:07 gurke Pluto[11785]: | no phase 1 state where one should be
> Oct 5 11:16:07 gurke Pluto[11785]: | no phase 1 state where one should be
> Oct 5 11:17:05 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #908:
> initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS to replace #906
> Oct 5 11:17:05 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #908:
> sent QI2, IPsec SA established
> Oct 5 11:17:34 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #909:
> initiating Main Mode to replace #907
> Oct 5 11:17:35 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #909:
> Peer ID is ID_DER_ASN1_DN: 'O=Keller, OU=Host, CN=test.keller'
> Oct 5 11:17:35 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #909:
> ISAKMP SA established
> Oct 5 11:18:25 gurke Pluto[11785]: | no phase 1 state where one should be
> Oct 5 11:18:25 gurke Pluto[11785]: | no phase 1 state where one should be
> Oct 5 11:19:00 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #910:
> initiating Main Mode to replace #909
> Oct 5 11:19:00 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #910:
> Peer ID is ID_DER_ASN1_DN: 'O=Keller, OU=Host, CN=test.keller'
> Oct 5 11:19:00 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #910:
> ISAKMP SA established
> Oct 5 11:19:18 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #911:
> initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS to replace #908
> Oct 5 11:19:18 gurke Pluto[11785]: "srb-clients" 192.168.1.111 #911:
> sent QI2, IPsec SA established
>
> Client log:
> Oct 5 09:16:07 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #86:
> responding to Main Mode
> Oct 5 09:16:07 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #86:
> Peer ID is ID_DER_ASN1_DN: 'O=Keller, OU=Host, CN=gurke.keller'
> Oct 5 09:16:07 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #86:
> sent MR3, ISAKMP SA established
> Oct 5 09:16:29 (none) Pluto[56]: | no phase 1 state where one should be
> Oct 5 09:16:29 (none) Pluto[56]: | no phase 1 state where one should be
> Oct 5 09:17:26 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #87:
> responding to Quick Mode
> Oct 5 09:17:26 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #87:
> IPsec SA established
> Oct 5 09:17:55 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #88:
> responding to Main Mode
> Oct 5 09:17:56 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #88:
> Peer ID is ID_DER_ASN1_DN: 'O=Keller, OU=Host, CN=gurke.keller'
> Oct 5 09:17:56 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #88:
> sent MR3, ISAKMP SA established
> Oct 5 09:18:48 (none) Pluto[56]: | no phase 1 state where one should be
> Oct 5 09:18:48 (none) Pluto[56]: | no phase 1 state where one should be
> Oct 5 09:19:21 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #89:
> responding to Main Mode
> Oct 5 09:19:21 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #89:
> Peer ID is ID_DER_ASN1_DN: 'O=Keller, OU=Host, CN=gurke.keller'
> Oct 5 09:19:21 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #89:
> sent MR3, ISAKMP SA established
> Oct 5 09:19:39 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #90:
> responding to Quick Mode
> Oct 5 09:19:39 (none) Pluto[56]: "192_168_1_111-to-192_168_1_10" #90:
> IPsec SA established
>
> Server settings:
> 000 "srb-clients" instance: 192.168.1.10[O=Keller, OU=Host,
> CN=gurke.keller]...192.168.1.111[O=Keller, OU=Host, CN=test.keller]
> 000 "srb-clients" instance: ike_life: 180s; ipsec_life: 240s;
> rekey_margin: 60s; rekey_fuzz: 100%; keyingtries: 2
> 000 "srb-clients" instance: policy: RSASIG+ENCRYPT+TUNNEL+PFS;
> interface: eth0; erouted
> 000 "srb-clients" instance: newest ISAKMP SA: #916; newest IPsec SA:
> #913; eroute owner: #913
> 000 "srb-clients" instance: ESP algorithms wanted: 3/000-1/000,
> 3/000-2/000,
> 000 "srb-clients" instance: ESP algorithms loaded: 3/168-1/128,
> 3/168-2/160,
> 000 "srb-clients": 192.168.1.10[O=Keller, OU=Host, CN=gurke.keller]...%any
> 000 "srb-clients": ike_life: 180s; ipsec_life: 240s; rekey_margin:
> 60s; rekey_fuzz: 100%; keyingtries: 2
> 000 "srb-clients": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0;
> unrouted
> 000 "srb-clients": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute
> owner: #0
> 000 "srb-clients": ESP algorithms wanted: 3/000-1/000, 3/000-2/000,
> 000 "srb-clients": ESP algorithms loaded: 3/168-1/128, 3/168-2/160,
>
> Client settings:
> 000 "192_168_1_111-to-192_168_1_10": 192.168.1.111[O=Keller, OU=Host,
> CN=test.keller]...192.168.1.10[O=Keller, OU=Host, CN=gurke.keller]
> 000 "192_168_1_111-to-192_168_1_10": ike_life: 3600s; ipsec_life:
> 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1
> 000 "192_168_1_111-to-192_168_1_10": policy:
> RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted
> 000 "192_168_1_111-to-192_168_1_10": newest ISAKMP SA: #95; newest
> IPsec SA: #96; eroute owner: #96
> 000 "192_168_1_111-to-192_168_1_10": ESP algorithms wanted:
> 11/000-1/000, 11/000-2/000,
> 000 "192_168_1_111-to-192_168_1_10": ESP algorithms loaded:
> 11/000-1/128, 11/000-2/160,
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen e-mail: andreas.steffen_at_strongsec.com strongSec GmbH phone: +41 76 340 25 56 Alter Zürichweg 20 home: http://www.strongsec.com CH-8952 Schlieren (Switzerland) ==========================================[strong internet security]== _______________________________________________ Users mailing list Users_at_lists.freeswan.org http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sat Oct 12 2002 - 05:20:25 CEST