[Swan] ipsec SA's up, no traffic routed?

Frank frank at dio.demon.nl
Tue May 10 15:05:14 UTC 2016


Hi,

I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
SA's seem up.

I can't get traffic to the other side (host on 192.168.211.2 or .12):

192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24


ping 192.168.211.2
PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable

name.secrets:
: PSK abcdefghij

ipsec.conf:
config setup
      protostack=netkey
      virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:192.168.211.0/24

conn net1
     also=tunnel1
     leftsubnet=192.168.1.0/24
     leftsourceip=192.168.1.2
     rightsubnet=192.168.211.0/24
     rightsourceip=192.168.211.2
     auto=start


conn tunnel1
      left=xxx.xxx.39.68
      right=yyy.yyy.13.34
      authby=secret
      leftid=xxx.xxx.39.68
      ike=aes256-sha256;modp2048
      phase2alg=aes256-sha2_256;modp2048
      salifetime=8h
      ikelifetime=8h
      type=tunnel
      auto=start


ip route:
default via xxx.xxx.39.78 dev eth4
192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.2
192.168.211.0/24 dev eth4  scope link  src 192.168.1.2
xxx.xxx.39.64/28 dev eth4  proto kernel  scope link  src xxx.xxx.39.68


ipsec status:
000 interface eth4/eth4 xxx.xxx.39.68 at 4500
000 interface eth4/eth4 xxx.xxx.39.68 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, 192.168.211.0/24
....snip....
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,6144} attrs={0,4,4096}
000
000 Connection list:
000
000 "net1": 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24; erouted; eroute owner: #3
000 "net1":     oriented; my_ip=192.168.1.2; their_ip=192.168.211.2
000 "net1":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "net1":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "net1":   labeled_ipsec:no;
000 "net1":   policy_label:unset;
000 "net1":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "net1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "net1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "net1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "net1":   conn_prio: 24,24; interface: eth4; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "net1":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "net1":   IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "net1":   IKE algorithms found:  AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "net1":   IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
000 "net1":   ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "net1":   ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "net1":   ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "tunnel1": xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>; prospective erouted; eroute owner: #0
000 "tunnel1":     oriented; my_ip=unset; their_ip=unset
000 "tunnel1":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "tunnel1":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "tunnel1":   labeled_ipsec:no;
000 "tunnel1":   policy_label:unset;
000 "tunnel1":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "tunnel1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "tunnel1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "tunnel1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "tunnel1":   conn_prio: 32,32; interface: eth4; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "tunnel1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "tunnel1":   IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "tunnel1":   IKE algorithms found:  AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "tunnel1":   ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "tunnel1":   ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #3: "net1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24758s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "net1" esp.c4b958dc at yyy.yyy.13.34 esp.76871e94 at xxx.xxx.39.68 tun.0 at yyy.yyy.13.34 tun.0 at xxx.xxx.39.68 ref=0 refhim=4294901761 Traffic: ESPout=2KB ESPin=4KB! ESPmax=4194303B
000 #1: "net1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 24517s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000  


pluto.log:
May 10 15:36:27: loading secrets from "/etc/ipsec.d/name.secrets"
May 10 15:36:27: "net1" #1: initiating Main Mode
May 10 15:36:27: "net1" #1: received Vendor ID payload [XAUTH]
May 10 15:36:27: "net1" #1: received Vendor ID payload [Dead Peer Detection]
May 10 15:36:27: "net1" #1: received Vendor ID payload [Cisco-Unity]
May 10 15:36:27: "net1" #1: received Vendor ID payload [FRAGMENTATION 80000000]
May 10 15:36:27: "net1" #1: received Vendor ID payload [RFC 3947]
May 10 15:36:27: "net1" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 10 15:36:27: "net1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 10 15:36:27: "net1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 10 15:36:27: "net1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 10 15:36:27: "net1" #1: Main mode peer ID is ID_IPV4_ADDR: 'yyy.yyy.13.34'
May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 10 15:36:27: "net1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048}
May 10 15:36:27: "tunnel1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:bfa97f53 proposal=AES(12)_256-SHA2_256(5)_000 pfsgroup=OAKLEY_GROUP_MODP2048}
May 10 15:36:27: "net1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:70ad6cf8 proposal=AES(12)_256-SHA2_256(5)_000 pfsgroup=OAKLEY_GROUP_MODP2048}
May 10 15:36:27: "net1" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=16
May 10 15:36:27: | ISAKMP Notification Payload
May 10 15:36:27: |   00 00 00 10  00 00 00 01  03 04 00 12
May 10 15:36:27: "net1" #1: received and ignored informational message
May 10 15:36:27: "net1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 10 15:36:27: "net1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xc4b958dc <0x76871e94 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=passive}
May 10 15:36:27: "net1" #1: received 1 malformed payload notifies
May 10 15:36:28: "net1" #1: received 2 malformed payload notifies
May 10 15:36:29: "net1" #1: received 3 malformed payload notifies
May 10 15:36:31: "net1" #1: received 4 malformed payload notifies
May 10 15:36:35: "net1" #1: received 5 malformed payload notifies
May 10 15:36:43: "net1" #1: received 6 malformed payload notifies
May 10 15:36:59: "net1" #1: received 7 malformed payload notifies
May 10 15:37:31: "tunnel1" #2: max number of retransmissions (8) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
May 10 15:37:31: "tunnel1" #2: deleting state #2 (STATE_QUICK_I1)
May 10 15:55:24: forgetting secrets
May 10 15:55:24: loading secrets from "/etc/ipsec.secrets"
May 10 15:55:24: loading secrets from "/etc/ipsec.d/name.secrets" 


logging on pfSense side:

May 10 15:36:59   charon: 06[NET] sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500] (92 bytes)
May 10 15:36:59   charon: 06[NET] <con1000|10> sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500] (92 bytes)
May 10 15:36:59   charon: 06[IKE] QUICK_MODE request with message ID 1400875455 processing failed
May 10 15:36:59   charon: 06[IKE] <con1000|10> QUICK_MODE request with message ID 1400875455 processing failed
May 10 15:36:59   charon: 04[NET] sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500]
May 10 15:36:59   charon: 04[NET] sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500]
May 10 15:36:59   charon: 06[MGR] checkin IKE_SA con1000[10]
May 10 15:36:59   charon: 06[MGR] <con1000|10> checkin IKE_SA con1000[10]
May 10 15:36:59   charon: 06[MGR] check-in of IKE_SA successful.
May 10 15:36:59   charon: 06[MGR] <con1000|10> check-in of IKE_SA successful.
May 10 15:37:27   charon: 05[CFG] vici client 2 connected

Anything obvious i'm missing?

thx,

Frank




More information about the Swan mailing list