[Swan] ipsec SA's up, no traffic routed?
Frank
frank at dio.demon.nl
Tue May 10 15:05:14 UTC 2016
Hi,
I’m trying to setup an ipsec connection from a recent centos7 box to a pfSense with strongSwan (charon), as a test before connecting to a remote ciscoASA.
SA's seem up.
I can't get traffic to the other side (host on 192.168.211.2 or .12):
192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
ping 192.168.211.2
PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
name.secrets:
: PSK abcdefghij
ipsec.conf:
config setup
protostack=netkey
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:192.168.211.0/24
conn net1
also=tunnel1
leftsubnet=192.168.1.0/24
leftsourceip=192.168.1.2
rightsubnet=192.168.211.0/24
rightsourceip=192.168.211.2
auto=start
conn tunnel1
left=xxx.xxx.39.68
right=yyy.yyy.13.34
authby=secret
leftid=xxx.xxx.39.68
ike=aes256-sha256;modp2048
phase2alg=aes256-sha2_256;modp2048
salifetime=8h
ikelifetime=8h
type=tunnel
auto=start
ip route:
default via xxx.xxx.39.78 dev eth4
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.2
192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.2
192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.2
192.168.211.0/24 dev eth4 scope link src 192.168.1.2
xxx.xxx.39.64/28 dev eth4 proto kernel scope link src xxx.xxx.39.68
ipsec status:
000 interface eth4/eth4 xxx.xxx.39.68 at 4500
000 interface eth4/eth4 xxx.xxx.39.68 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, 192.168.211.0/24
....snip....
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,64} trans={0,4,6144} attrs={0,4,4096}
000
000 Connection list:
000
000 "net1": 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24; erouted; eroute owner: #3
000 "net1": oriented; my_ip=192.168.1.2; their_ip=192.168.211.2
000 "net1": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "net1": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "net1": labeled_ipsec:no;
000 "net1": policy_label:unset;
000 "net1": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "net1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "net1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "net1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "net1": conn_prio: 24,24; interface: eth4; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "net1": newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "net1": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "net1": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "net1": IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
000 "net1": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "net1": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000 "net1": ESP algorithm newest: AES_256-HMAC_SHA2_256; pfsgroup=MODP2048
000 "tunnel1": xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>; prospective erouted; eroute owner: #0
000 "tunnel1": oriented; my_ip=unset; their_ip=unset
000 "tunnel1": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]
000 "tunnel1": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "tunnel1": labeled_ipsec:no;
000 "tunnel1": policy_label:unset;
000 "tunnel1": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "tunnel1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "tunnel1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "tunnel1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "tunnel1": conn_prio: 32,32; interface: eth4; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "tunnel1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "tunnel1": IKE algorithms wanted: AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
000 "tunnel1": IKE algorithms found: AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
000 "tunnel1": ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000; pfsgroup=MODP2048(14)
000 "tunnel1": ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
000
000 Total IPsec connections: loaded 2, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #3: "net1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 24758s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "net1" esp.c4b958dc at yyy.yyy.13.34 esp.76871e94 at xxx.xxx.39.68 tun.0 at yyy.yyy.13.34 tun.0 at xxx.xxx.39.68 ref=0 refhim=4294901761 Traffic: ESPout=2KB ESPin=4KB! ESPmax=4194303B
000 #1: "net1":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 24517s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
pluto.log:
May 10 15:36:27: loading secrets from "/etc/ipsec.d/name.secrets"
May 10 15:36:27: "net1" #1: initiating Main Mode
May 10 15:36:27: "net1" #1: received Vendor ID payload [XAUTH]
May 10 15:36:27: "net1" #1: received Vendor ID payload [Dead Peer Detection]
May 10 15:36:27: "net1" #1: received Vendor ID payload [Cisco-Unity]
May 10 15:36:27: "net1" #1: received Vendor ID payload [FRAGMENTATION 80000000]
May 10 15:36:27: "net1" #1: received Vendor ID payload [RFC 3947]
May 10 15:36:27: "net1" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
May 10 15:36:27: "net1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
May 10 15:36:27: "net1" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
May 10 15:36:27: "net1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
May 10 15:36:27: "net1" #1: Main mode peer ID is ID_IPV4_ADDR: 'yyy.yyy.13.34'
May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
May 10 15:36:27: "net1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256 group=MODP2048}
May 10 15:36:27: "tunnel1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:bfa97f53 proposal=AES(12)_256-SHA2_256(5)_000 pfsgroup=OAKLEY_GROUP_MODP2048}
May 10 15:36:27: "net1" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:70ad6cf8 proposal=AES(12)_256-SHA2_256(5)_000 pfsgroup=OAKLEY_GROUP_MODP2048}
May 10 15:36:27: "net1" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=16
May 10 15:36:27: | ISAKMP Notification Payload
May 10 15:36:27: | 00 00 00 10 00 00 00 01 03 04 00 12
May 10 15:36:27: "net1" #1: received and ignored informational message
May 10 15:36:27: "net1" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 10 15:36:27: "net1" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xc4b958dc <0x76871e94 xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=passive}
May 10 15:36:27: "net1" #1: received 1 malformed payload notifies
May 10 15:36:28: "net1" #1: received 2 malformed payload notifies
May 10 15:36:29: "net1" #1: received 3 malformed payload notifies
May 10 15:36:31: "net1" #1: received 4 malformed payload notifies
May 10 15:36:35: "net1" #1: received 5 malformed payload notifies
May 10 15:36:43: "net1" #1: received 6 malformed payload notifies
May 10 15:36:59: "net1" #1: received 7 malformed payload notifies
May 10 15:37:31: "tunnel1" #2: max number of retransmissions (8) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
May 10 15:37:31: "tunnel1" #2: deleting state #2 (STATE_QUICK_I1)
May 10 15:55:24: forgetting secrets
May 10 15:55:24: loading secrets from "/etc/ipsec.secrets"
May 10 15:55:24: loading secrets from "/etc/ipsec.d/name.secrets"
logging on pfSense side:
May 10 15:36:59 charon: 06[NET] sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500] (92 bytes)
May 10 15:36:59 charon: 06[NET] <con1000|10> sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500] (92 bytes)
May 10 15:36:59 charon: 06[IKE] QUICK_MODE request with message ID 1400875455 processing failed
May 10 15:36:59 charon: 06[IKE] <con1000|10> QUICK_MODE request with message ID 1400875455 processing failed
May 10 15:36:59 charon: 04[NET] sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500]
May 10 15:36:59 charon: 04[NET] sending packet: from yyy.yyy.13.34[500] to xxx.xxx.39.68[500]
May 10 15:36:59 charon: 06[MGR] checkin IKE_SA con1000[10]
May 10 15:36:59 charon: 06[MGR] <con1000|10> checkin IKE_SA con1000[10]
May 10 15:36:59 charon: 06[MGR] check-in of IKE_SA successful.
May 10 15:36:59 charon: 06[MGR] <con1000|10> check-in of IKE_SA successful.
May 10 15:37:27 charon: 05[CFG] vici client 2 connected
Anything obvious i'm missing?
thx,
Frank
More information about the Swan
mailing list