Cisco ASA 5505 and Linux openswan site2site

Unanswered Question
Aug 11th, 2009

Hi, I'm trying to configure a vpn site2site between cisco 5505 and openswan. It seems that the configurations are ok but after the phase 2 succeeded the tunnel goes down... Here is the debug log. Any suggests will be appreciated!

Aug 11 11:58:26 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, PHASE 1 COMPLETED

Aug 11 11:58:26 [IKEv1]: IP = 192.168.0.67, Keep-alive type for this connection: DPD

Aug 11 11:58:26 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Starting P1 rekey timer: 2700 seconds.

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Received remote IP Proxy Subnet data in ID Payload: Address 192.168.132.0, Mask 255.255.255.0, Protocol 0, Port 0

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Received local IP Proxy Subnet data in ID Payload: Address 192.168.70.0, Mask 255.255.255.0, Protocol 0, Port 0

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, QM IsRekeyed old sa not found by addr

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Static Crypto Map check, checking map = IPsec_map, seq = 1...

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Static Crypto Map check, map IPsec_map, seq = 1 is a successful match

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE Remote Peer configured for crypto map: IPsec_map

Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, processing IPSec SA payload

Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, IPSec SA Proposal # 0, Transform # 0 acceptable Matches global IPSec SA entry # 1

Aug 11 11:58:32 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE: requesting SPI!

Aug 11 11:58:32 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Transmitting Proxy Id:

Remote subnet: 192.168.132.0 Mask 255.255.255.0 Protocol 0 Port 0

Local subnet: 192.168.70.0 mask 255.255.255.0 Protocol 0 Port 0

Aug 11 11:58:37 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, Security negotiation complete for LAN-to-LAN Group (192.168.0.67) Responder, Inbound SPI = 0xa4313201, Outbound SPI = 0x71309508

Aug 11 11:58:37 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, Starting P2 rekey timer: 27355 seconds.

Aug 11 11:58:37 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, PHASE 2 COMPLETED (msgid=f63e5a21)

Aug 11 11:58:43 [IKEv1]: Group = 192.168.0.67, IP = 192.168.0.67, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)

Aug 11 11:58:43 [IKEv1 DEBUG]: Group = 192.168.0.67, IP = 192.168.0.67, IKE Deleting SA: Remote Proxy 192.168.132.0, Local Proxy 192.168.70.0

Aug 11 11:58:43 [IKEv1]: Ignoring msg to mark SA with dsID 208896 dead because SA deleted

Aug 11 11:58:45 [IKEv1]: IP = 192.168.0.67, Received encrypted packet with no matching SA, dropping

Aug 11 11:58:50 [IKEv1]: IP = 192.168.0.67, Received encrypted packet with no matching SA, dropping

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
slmansfield Tue, 08/11/2009 - 08:04

It looks like the ASA is dropping the connection because it is not getting a "Dead Peer Detection" (DPD) response from the Linux box. My feeling is that the Linux box simply does not use DPD.

I would try disabling DPD on the ASA. The following URL has been very helpful to me in diagnosing VPN problems. I hope it is of help to you.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Actions

This Discussion