[Durham] openswan ipsec issue

Andrew Glass andrewglass3 at gmail.com
Thu Nov 10 00:37:50 UTC 2011 

Evening/morning all :)

Ive got a little problem with my openswan ipsec vpn that I run out in france.

Sometimes I get the following messages,  if I tail the syslog regarding my openswan startup

root at zen:/var/log# tail -f syslog
Nov 10 01:19:22 zen ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38.2-grsec-xxxx-grs-ipv6-32...
Nov 10 01:19:22 zen ipsec_setup: Using NETKEY(XFRM) stack
Nov 10 01:19:22 zen ipsec_setup: ...Openswan IPsec started
Nov 10 01:19:22 zen ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Nov 10 01:19:22 zen pluto: adjusting ipsec.d to /etc/ipsec.d
Nov 10 01:19:22 zen kernel: init: plymouth-stop pre-start process (3476) terminated with status 1
Nov 10 01:19:22 zen ipsec__plutorun: 002 added connection description "vpnserver"
Nov 10 01:19:22 zen ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
Nov 10 01:19:22 zen ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
Nov 10 01:19:22 zen ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
Nov 10 01:20:17 zen kernel: init: ssh main process (2739) terminated with status 255
Nov 10 01:20:32 zen ntpdate[3540]: step time server 213.251.128.249 offset -2.310234 sec
Nov 10 01:20:32 zen kernel: grsec: time set by /usr/sbin/ntpdate[ntpdate:3540] uid/euid:0/0 gid/egid:0/0, parent /etc/network/if-up.d/ntpdate[ntpdate:3532] uid/euid:0/0 gid/egid:0/0
q^C


This can intermittently prevent me from connecting from home.  So I issue this command

root at zen:/var/log# /etc/init.d/ipsec stop
ipsec_setup: Stopping Openswan IPsec...

Then restart it:

root at zen:/var/log# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.38.2-grsec-xxxx-grs-ipv6-32...
root at zen:/var/log# 

I can then connect no problem - Im wondering if it the nat command I've used in my iptables may be to blame??

After opening the various ports for services I have used the following commands:

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Have I missed something that u can see??  Ive also noticed from the first day of renting this server, that ssh takes a little while to respond to my request to login. I am using a none standard port for ssh connections but Ive never had such a slow response to ssh'ing on a none standard port before???? Sometimes takes up to 20 secs to respond ???  Any ideas??

Cheers in advance if you can help peeps! :) Hopefully see some of you at the meeting this coming week too :)

Best wishes

Andy Glass

More information about the Durham mailing list