For security reasons i performed and update from a previous version of openswan to U2.6.32/K2.6.18-194.el5 (netkey)

Since that moment i've been experiencing constant tunnel drops, i've checked the /var/log/secure log but failed to id the problem...

Additionally there is some strange behavior of the commands, when i enter

service ipsec status

It remains unresponsive for a long time (5min aprox.), and when it finally responds, it says no tunnels are up

After a bunch of restarts and a couple of hours of cold sweat it start's working just fine...

The following is a log with the time period between a couple of the many service restarts...

The /var/log/secure/ log with "pluto" entries:

MYSERVER ipsec__plutorun: Starting Pluto subsystem...
MYSERVER pluto[8607]: nss directory plutomain: /etc/ipsec.d
MYSERVER pluto[8607]: NSS Initialized
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:8607
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: LEAK_DETECTIVE support [disabled]
MYSERVER pluto[8607]: OCF support for IKE [disabled]
MYSERVER pluto[8607]: SAref support [disabled]: Protocol not available
MYSERVER pluto[8607]: SAbind support [disabled]: Protocol not available
MYSERVER pluto[8607]: NSS support [enabled]
MYSERVER pluto[8607]: HAVE_STATSD notification support not compiled in
MYSERVER pluto[8607]: Setting NAT-Traversal port-4500 floating to off
MYSERVER pluto[8607]:    port floating activation criteria nat_t=0/port_float=1
MYSERVER pluto[8607]:    NAT-Traversal support  [disabled]
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
MYSERVER pluto[8607]: starting up 7 cryptographic helpers
MYSERVER pluto[8607]: started helper (thread) pid=47968782256448 (fd:10)
MYSERVER pluto[8607]: started helper (thread) pid=47968792754496 (fd:12)
MYSERVER pluto[8607]: started helper (thread) pid=47968803252544 (fd:14)
MYSERVER pluto[8607]: started helper (thread) pid=47968813750592 (fd:16)
MYSERVER pluto[8607]: started helper (thread) pid=47968824240448 (fd:18)
MYSERVER pluto[8607]: started helper (thread) pid=47968834746688 (fd:20)
MYSERVER pluto[8607]: started helper (thread) pid=47968845244736 (fd:22)
MYSERVER pluto[8607]: Using Linux 2.6 IPsec interface code on 2.6.18-194.el5 (experimental code)
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
MYSERVER pluto[8607]: ike_alg_add(): ERROR: Algorithm already exists
MYSERVER pluto[8607]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/cacerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/aacerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
MYSERVER pluto[8607]: Could not change to directory '/etc/ipsec.d/crls'
MYSERVER pluto[8607]: | selinux support is NOT enabled. 
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: Non-fips mode set in /proc/sys/crypto/fips_enabled
MYSERVER pluto[8607]: added connection description "connVPNxxx"
MYSERVER pluto[8607]: listening for IKE messages
MYSERVER pluto[8607]: adding interface virbr0/virbr0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth1:0/eth1:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth1/eth1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0:1/eth0:1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0:0/eth0:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface eth0/eth0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface lo/lo xx.xx.xx.xx:500
MYSERVER pluto[8607]: adding interface lo/lo ::1:500
MYSERVER pluto[8607]: loading secrets from "/etc/ipsec.secrets"
MYSERVER pluto[8607]: "/etc/ipsec.secrets" line 14: CKAIDNSS keyword not found where expected in RSA key
MYSERVER pluto[8607]: "connVPNxxx": terminating SAs using this connection
MYSERVER pluto[8607]: "connVPNxxx" #1: initiating Main Mode
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #2: initiating Main Mode
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #2: ignoring Vendor ID payload [FRAGMENTATION c0000000]
MYSERVER pluto[8607]: "connVPNxxx" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: STATE_MAIN_I2: sent MI2, expecting MR2
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding packet received during asynchronous work (DNS or crypto) in STATE_MAIN_I1
MYSERVER pluto[8607]: "connVPNxxx" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: STATE_MAIN_I2: sent MI2, expecting MR2
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #1: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #3: initiating Main Mode
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: "connVPNxxx" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #1: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: discarding duplicate packet; already STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: max number of retransmissions (2) reached STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #1: starting keying attempt 2 of an unlimited number, but releasing whack
MYSERVER pluto[8607]: "connVPNxxx" #4: initiating Main Mode to replace #1
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:17630 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:0 to xx.xx.xx.xx:61954 proto=6 state: fos_start because: acquire
MYSERVER pluto[8607]: initiate on demand from xx.xx.xx.xx:34682 to xx.xx.xx.xx:1025 proto=17 state: fos_start because: acquire
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: ignoring informational payload, type INVALID_COOKIE msgid=00000000
MYSERVER pluto[8607]: "connVPNxxx" #2: received and ignored informational message
MYSERVER pluto[8607]: "connVPNxxx" #2: max number of retransmissions (2) reached STATE_MAIN_I2
MYSERVER pluto[8607]: "connVPNxxx" #2: starting keying attempt 2 of an unlimited number
MYSERVER pluto[8607]: "connVPNxxx" #5: initiating Main Mode to replace #2
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: ignoring informational payload, type INVALID_COOKIE on st==NULL (deleted?)
MYSERVER pluto[8607]: packet from xx.xx.xx.xx:500: received and ignored informational message
MYSERVER pluto[8607]: shutting down
MYSERVER pluto[8607]: forgetting secrets
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #3: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #4: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: "connVPNxxx": deleting connection
MYSERVER pluto[8607]: "connVPNxxx" #5: deleting state (STATE_MAIN_I1)
MYSERVER pluto[8607]: shutting down interface lo/lo ::1:500
MYSERVER pluto[8607]: shutting down interface lo/lo xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0/eth0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0:0/eth0:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth0:1/eth0:1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth1/eth1 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface eth1:0/eth1:0 xx.xx.xx.xx:500
MYSERVER pluto[8607]: shutting down interface virbr0/virbr0 xx.xx.xx.xx:500

The ipsec.conf:

/etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup
####### forwardcontrol=yes
####### virtual_private=%v4:xx.xx.xx/8,%v4:xx.xx.xx/16,%v4:xx.xx.xx/12

conn connVPNxxx1

conn connVPNxxx2
##20-11-2014 leftnexthop=%direct
##20-11-2014 rightnexthop=%direct

conn vpnxxx3
##20-11-2014  leftnexthop=%direct
##20-11-2014 rightnexthop=%direct
  • 9,145
  • 2
  • 40
  • 44
  • 36
  • 5
  • 2
    I get the feeling your ancient kernel may be to blame ... `Using Linux 2.6 IPsec interface code on 2.6.18-194.el5 (experimental code)` – Nathan C Dec 08 '14 at 16:28
  • It could be that, but that means it will work just fine in a newer system like RHEL6? – Alonimus Dec 08 '14 at 19:03
  • Possibly. I believe the 3.x kernel was backported to RHEL5, so take a look at that too. – Nathan C Dec 08 '14 at 19:10

0 Answers0