Late last night I noticed when I got home I had no access to my office, although both sides indicated that the tunnel was up. Today the problem persists where I have an established tunnel, but no traffic passes. I would like to say this is an issue with the config, but the VPN has been working for some time now. This is just out of the blue that no traffic passes. The other end is Linux/Openswan. Both sides debug shows nothing of interest at least from what I can see
I have now spend a lot of time re-starting the connection in hopes the tunnel will just magically re-open so to speak with no luck. In the past I have encountered this issue with Openswan where I simply just needed to restart ipsec on and everything would be fine in a matter seconds. Now however this tunnel just does not want to re-open. Any help will be very much appreciated
PIX506# show crypto ipsec sa interface: outside Crypto map tag: dyn-map, local addr. 6x.xxx.xxx.xx local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: 7x.xx.xxx.xxx:500 PERMIT, flags={} #pkts encaps: 15, #pkts encrypt: 15, #pkts digest 15 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 6x.xxx.xxx.xx, remote crypto endpt.:
7x.xx.xxx.xxx path mtu 1500, ipsec overhead 72, media mtu 1500 current outbound spi: 60d76870 inbound esp sas: spi: 0x346bc9b5(879479221) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: dyn-map sa timing: remaining key lifetime (k/sec): (4608000/86045) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x60d76870(1624729712) transform: esp-aes-256 esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: dyn-map sa timing: remaining key lifetime (k/sec): (4607998/86045) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: interface: inside Crypto map tag: inside_map, local addr. 192.168.1.1 PIX506#This is what Openswan reports in the log: May 3 13:28:18 EFW pluto[3733]: "CiscoPIX" #17: initiating Main Mode May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: STATE_MAIN_I2: sent MI2, expecting MR2 May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: received Vendor ID payload [XAUTH] May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: received Vendor ID payload [Dead Peer Detection] May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: received Vendor ID payload [Cisco-Unity] May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: ignoring unknown Vendor ID payload [16bf097638a31d3aa6e82a198224b924] May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: I did not send a certificate because I do not have one. May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: STATE_MAIN_I3: sent MI3, expecting MR3 May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: Main mode peer ID is ID_IPV4_ADDR: '6x.xxx.xxx.xx' May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: Dead Peer Detection (RFC 3706): enabled May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#17} May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: ignoring informational payload, type IPSEC_INITIAL_CONTACT May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #17: received and ignored informational message May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #18: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #18: Dead Peer Detection (RFC 3706): enabled May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #18: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 May 3 13:28:19 EFW pluto[3733]: "CiscoPIX" #18: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x18dd0900 0x7255006a