Vpn

在 DPD 之後,Openswan 不在新 IP 上發送數據包

  • June 10, 2014

我已經用 DDNS 配置了隧道。設備重新啟動後,另一端不會在新的 IP 地址上發送數據包(即使我設置了 dpdaction=restart)。我正在使用openswan 2.6.38。

這是我的配置:

config setup
nat_traversal=yes
oe=off
protostack=netkey

conn netgeniepassthrough
left=10.1.1.1
right=0.0.0.0
leftsubnet=10.1.1.0/24
rightsubnet=10.1.1.0/24
authby=never
type=passthrough
auto=route

conn netgenie
right=CXYZ-HHYZ-AXYZ-A010.ddns.netgenie.net
rightsubnet=192.168.1.0/24
left=115.240.29.236
leftsubnet=10.1.1.0/24
leftnexthop=220.224.141.129
leftupdown="ipsec _updown --route yes"
auto=start
leftid=@DEMO-VDSL-DEMO-0035.ddns.netgenie.net
rightid=@CXYZ-HHYZ-AXYZ-A010.ddns.netgenie.net
#x_rightdynamic=yes
authby=secret
compress=no
failureshunt=drop
dpddelay=15
dpdtimeout=60
dpdaction=restart
pfs=yes
ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1

這是日誌文件:

Jan  1 05:30:49 (none) daemon.err ipsec_setup: Starting Openswan IPsec U2.6.38/K...
Jan  1 05:30:49 (none) daemon.err ipsec_setup: Using NETKEY(XFRM) stack
Jan  1 05:30:50 (none) authpriv.err ipsec__plutorun: Starting Pluto subsystem...
Jan  1 05:30:50 (none) daemon.err ipsec_setup: ...Openswan IPsec started
Jan  1 05:30:50 (none) user.warn syslog: adjusting ipsec.d to /etc/ipsec.d
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: LEAK_DETECTIVE support [disabled]
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: OCF support for IKE [disabled]
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: SAref support [disabled]: Protocol not available
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: SAbind support [disabled]: Protocol not available
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: NSS support [disabled]
Jan  1 05:30:50 (none) daemon.err ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: HAVE_STATSD notification support not compiled in
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: Setting NAT-Traversal port-4500 floating to on
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: port floating activation criteria nat_t=1/port_float=1
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: NAT-Traversal support  [enabled]
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: using /dev/urandom as source of random entropy
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: starting up 1 cryptographic helpers
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: started helper pid=2113 (fd:6)
Jan  1 05:30:50 (none) authpriv.warn pluto[2113]: using /dev/urandom as source of random entropy
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: Using Linux 2.6 IPsec interface code on 2.6.30 (experimental code)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Jan  1 05:30:50 (none) authpriv.warn pluto[2108]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jan  1 05:30:51 (none) authpriv.warn pluto[2108]: Could not change to directory '/etc/ipsec.d/cacerts': No such file or directory
Jan  1 05:30:51 (none) authpriv.warn pluto[2108]: Could not change to directory '/etc/ipsec.d/aacerts': No such file or directory
Jan  1 05:30:51 (none) authpriv.warn pluto[2108]: Could not change to directory '/etc/ipsec.d/ocspcerts': No such file or directory
Jan  1 05:30:51 (none) authpriv.warn pluto[2108]: Could not change to directory '/etc/ipsec.d/crls': 2 No such file or directory
Jan  1 05:30:51 (none) authpriv.warn pluto[2108]: added connection description "netgeniepassthrough"
Jan  1 05:30:51 (none) daemon.err ipsec__plutorun: 002 added connection description "netgeniepassthrough"
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: added connection description "netgenie"
Apr  4 18:12:37 (none) daemon.err ipsec__plutorun: 002 added connection description "netgenie"
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: listening for IKE messages
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface ppp0/ppp0 14.99.180.56:500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface ppp0/ppp0 14.99.180.56:4500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface br0/br0 192.168.1.1:500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface br0/br0 192.168.1.1:4500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface lo/lo 127.0.0.1:500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface lo/lo 127.0.0.1:4500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: adding interface lo/lo ::1:500
Apr  4 18:12:37 (none) authpriv.warn pluto[2108]: loading secrets from "/etc/ipsec.secrets"
Apr  4 18:12:38 (none) authpriv.warn pluto[2108]: "netgenie": route-client output: Evaluating Route: ip route replace 10.1.1.0/24 via 192.168.1.1 dev br0 
Apr  4 18:12:38 (none) authpriv.warn pluto[2108]: "netgenie" #1: initiating Main Mode
Apr  4 18:12:38 (none) daemon.err ipsec__plutorun: 104 "netgenie" #1: STATE_MAIN_I1: initiate
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [Dead Peer Detection]
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [RFC 3947] method set to=115 
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: "netgenie" #2: responding to Main Mode
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: "netgenie" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Apr  4 18:16:01 (none) authpriv.warn pluto[2108]: "netgenie" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Apr  4 18:16:03 (none) authpriv.warn pluto[2108]: "netgenie" #2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Apr  4 18:16:03 (none) authpriv.warn pluto[2108]: "netgenie" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Apr  4 18:16:03 (none) authpriv.warn pluto[2108]: "netgenie" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Apr  4 18:16:04 (none) authpriv.warn pluto[2108]: "netgenie" #2: Main mode peer ID is ID_FQDN: '@DEMO-VDSL-DEMO-0035.ddns.netgenie.net'
Apr  4 18:16:04 (none) authpriv.warn pluto[2108]: "netgenie" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Apr  4 18:16:04 (none) authpriv.warn pluto[2108]: "netgenie" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Apr  4 18:16:04 (none) authpriv.warn pluto[2108]: "netgenie" #2: Dead Peer Detection (RFC 3706): enabled
Apr  4 18:16:05 (none) authpriv.warn pluto[2108]: "netgenie" #2: the peer proposed: 192.168.1.0/24:0/0 -> 10.1.1.0/24:0/0
Apr  4 18:16:05 (none) authpriv.warn pluto[2108]: "netgenie" #3: responding to Quick Mode proposal {msgid:80e241b3}
Apr  4 18:16:05 (none) authpriv.warn pluto[2108]: "netgenie" #3: us: 192.168.1.0/24===14.99.180.56<14.99.180.56>[@CXYZ-HHYZ-AXYZ-A010.ddns.netgenie.net]---172.23.130.4
Apr  4 18:16:05 (none) authpriv.warn pluto[2108]: "netgenie" #3: them: 115.242.13.228<DEMO-VDSL-DEMO-0035.ddns.netgenie.net>[@DEMO-VDSL-DEMO-0035.ddns.netgenie.net]===10.1.1.0/24
Apr  4 18:16:05 (none) authpriv.warn pluto[2108]: "netgenie" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr  4 18:16:05 (none) authpriv.warn pluto[2108]: "netgenie" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr  4 18:16:07 (none) authpriv.warn pluto[2108]: "netgenie" #3: up-client output: client list: 115.242.13.228,
Apr  4 18:16:07 (none) authpriv.warn pluto[2108]: "netgenie" #3: Dead Peer Detection (RFC 3706): enabled
Apr  4 18:16:07 (none) authpriv.warn pluto[2108]: "netgenie" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr  4 18:16:07 (none) authpriv.warn pluto[2108]: "netgenie" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xec774557 <0xe6ce5933 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
Apr  4 18:16:37 (none) authpriv.warn pluto[2108]: pending Quick Mode with 115.242.13.228 "netgenie" took too long -- replacing phase 1
Apr  4 18:16:37 (none) authpriv.warn pluto[2108]: "netgenie": terminating SAs using this connection
Apr  4 18:16:37 (none) authpriv.warn pluto[2108]: "netgenie" #3: deleting state (STATE_QUICK_R2)
Apr  4 18:16:37 (none) authpriv.warn pluto[2108]: "netgenie" #3: down-client output: client list: 
Apr  4 18:16:37 (none) authpriv.warn pluto[2108]: "netgenie" #2: deleting state (STATE_MAIN_R3)
Apr  4 18:16:37 (none) authpriv.warn pluto[2108]: "netgenie" #1: deleting state (STATE_MAIN_I1)
Apr  4 18:16:38 (none) authpriv.warn pluto[2108]: "netgenie" #4: initiating Main Mode
Apr  4 18:16:38 (none) authpriv.warn pluto[2108]: packet from 115.242.13.228:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x9ffec71f
Apr  4 18:16:39 (none) authpriv.warn pluto[2108]: "netgenie" #4: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Apr  4 18:16:39 (none) authpriv.warn pluto[2108]: "netgenie" #4: received Vendor ID payload [Dead Peer Detection]
Apr  4 18:16:39 (none) authpriv.warn pluto[2108]: "netgenie" #4: received Vendor ID payload [RFC 3947] method set to=115 
Apr  4 18:16:39 (none) authpriv.warn pluto[2108]: "netgenie" #4: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Apr  4 18:16:39 (none) authpriv.warn pluto[2108]: "netgenie" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr  4 18:16:39 (none) authpriv.warn pluto[2108]: "netgenie" #4: STATE_MAIN_I2: sent MI2, expecting MR2
Apr  4 18:16:41 (none) authpriv.warn pluto[2108]: "netgenie" #4: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): no NAT detected
Apr  4 18:16:41 (none) authpriv.warn pluto[2108]: "netgenie" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr  4 18:16:41 (none) authpriv.warn pluto[2108]: "netgenie" #4: STATE_MAIN_I3: sent MI3, expecting MR3
Apr  4 18:16:42 (none) authpriv.warn pluto[2108]: "netgenie" #4: received Vendor ID payload [CAN-IKEv2]
Apr  4 18:16:42 (none) authpriv.warn pluto[2108]: "netgenie" #4: Main mode peer ID is ID_FQDN: '@DEMO-VDSL-DEMO-0035.ddns.netgenie.net'
Apr  4 18:16:42 (none) authpriv.warn pluto[2108]: "netgenie" #4: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr  4 18:16:42 (none) authpriv.warn pluto[2108]: "netgenie" #4: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Apr  4 18:16:42 (none) authpriv.warn pluto[2108]: "netgenie" #4: Dead Peer Detection (RFC 3706): enabled
Apr  4 18:16:42 (none) authpriv.warn pluto[2108]: "netgenie" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#4 msgid:62e4e20d proposal=AES(12)_128-MD5(1)_128, AES(12)_192-MD5(1)_128, AES(12)_256-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_192-SHA1(2)_160, AES(12)_256-SHA1(2)_160, 3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Apr  4 18:16:49 (none) authpriv.warn pluto[2108]: "netgenie" #4: the peer proposed: 192.168.1.0/24:0/0 -> 10.1.1.0/24:0/0
Apr  4 18:16:49 (none) authpriv.warn pluto[2108]: "netgenie" #6: responding to Quick Mode proposal {msgid:02ec687a}
Apr  4 18:16:49 (none) authpriv.warn pluto[2108]: "netgenie" #6: us: 192.168.1.0/24===14.99.180.56<14.99.180.56>[@CXYZ-HHYZ-AXYZ-A010.ddns.netgenie.net]---172.23.130.4
Apr  4 18:16:49 (none) authpriv.warn pluto[2108]: "netgenie" #6: them: 115.242.13.228<DEMO-VDSL-DEMO-0035.ddns.netgenie.net>[@DEMO-VDSL-DEMO-0035.ddns.netgenie.net]===10.1.1.0/24
Apr  4 18:16:49 (none) authpriv.warn pluto[2108]: "netgenie" #6: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Apr  4 18:16:49 (none) authpriv.warn pluto[2108]: "netgenie" #6: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Apr  4 18:16:50 (none) authpriv.warn pluto[2108]: "netgenie" #6: up-client output: client list: 115.242.13.228,
Apr  4 18:16:51 (none) authpriv.warn pluto[2108]: "netgenie" #6: Dead Peer Detection (RFC 3706): enabled
Apr  4 18:16:51 (none) authpriv.warn pluto[2108]: "netgenie" #6: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Apr  4 18:16:51 (none) authpriv.warn pluto[2108]: "netgenie" #6: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xc3f90f83 <0x4d0cdcda xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
Apr  4 18:16:54 (none) authpriv.warn pluto[2108]: "netgenie" #5: Dead Peer Detection (RFC 3706): enabled
Apr  4 18:16:54 (none) authpriv.warn pluto[2108]: "netgenie" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Apr  4 18:16:54 (none) authpriv.warn pluto[2108]: "netgenie" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa308fce3 <0x01465495 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none DPD=enabled}
Apr  4 18:16:55 (none) authpriv.warn pluto[2108]: "netgenie" #4: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xec774557) not found (maybe expired)
Apr  4 18:16:55 (none) authpriv.warn pluto[2108]: "netgenie" #4: received and ignored informational message




Apr  4 18:24:48 (none) authpriv.warn pluto[2108]: "netgenie" #7: initiating Main Mode to replace #4
Apr  4 18:26:03 (none) authpriv.warn pluto[2108]: "netgenie" #4: DPD: No response from peer - declaring peer dead
Apr  4 18:26:03 (none) authpriv.warn pluto[2108]: "netgenie" #4: DPD: Restarting Connection
Apr  4 18:26:03 (none) authpriv.warn pluto[2108]: "netgenie" #6: rekeying state (STATE_QUICK_R2)
Apr  4 18:26:03 (none) authpriv.warn pluto[2108]: "netgenie" #5: rekeying state (STATE_QUICK_I2)
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #5: down-client output: client list: 
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #7: rekeying state (STATE_MAIN_I1)
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #6: rekeying state (STATE_QUICK_R2)
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #6: ERROR: netlink response for Del SA esp.c3f90f83@115.242.13.228 included errno 3: No such process
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #6: ERROR: netlink response for Del SA esp.4d0cdcda@14.99.180.56 included errno 3: No such process
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #5: rekeying state (STATE_QUICK_I2)
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #5: ERROR: netlink response for Del SA esp.a308fce3@115.242.13.228 included errno 3: No such process
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #5: ERROR: netlink response for Del SA esp.1465495@14.99.180.56 included errno 3: No such process
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #7: rekeying state (STATE_MAIN_I1)
Apr  4 18:26:04 (none) authpriv.warn pluto[2108]: "netgenie" #8: initiating Main Mode to replace #4

pr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [Dead Peer Detection]
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [RFC 3947] method set to=115 
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  4 18:29:55 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: initial Main Mode message received on 14.99.180.56:500 but no connection has been authorized with policy=PSK
Apr  4 11:30:28 (none) authpriv.warn pluto[2108]: time moved backwards 25167 seconds
Apr  4 11:31:07 (none) authpriv.warn pluto[2108]: "netgenie" #6: ERROR: netlink response for Del SA esp.c3f90f83@115.242.13.228 included errno 3: No such process
Apr  4 11:31:07 (none) authpriv.warn pluto[2108]: "netgenie" #6: ERROR: netlink response for Del SA esp.4d0cdcda@14.99.180.56 included errno 3: No such process
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [Dead Peer Detection]
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [RFC 3947] method set to=115 
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Apr  4 11:31:35 (none) authpriv.warn pluto[2108]: packet from 115.242.38.205:500: initial Main Mode message received on 14.99.180.56:500 but no connection has been authorized with policy=PSK

如果您需要任何日誌,請告訴我。

其實我這邊有問題。我有兩個 ntp 客戶端在機器上執行。在每筆交易中,兩者都將時間設置為 +7 和 -7 小時(由於不適當的時區設置)。

現在的問題是,openswan 正在設置 long time 值,並將系統時間與這個 long 值進行比較,以重新生成對域名的 dns 查詢。如果它獲得新的 IP 地址,它將在新的 IP 地址上發送啟動數據包。

就我而言,系統時間已更改為 -7 Hrz(由其他 ntp 客戶端)。所以 openswan 會在 7 小時後做出反應(由於這種情況)。

終於通過深入研究程式碼得到了它。謝謝。

引用自:https://serverfault.com/questions/586710