[Swan] ipsec SA's up, no traffic routed?

Nick Howitt nick at howitts.co.uk
Tue May 10 15:42:14 UTC 2016 

Firewall rules?

On 2016-05-10 16:05, Frank wrote:
> Hi,
> 
> I’m trying to setup an ipsec connection from a recent centos7 box to a
> pfSense with strongSwan (charon), as a test before connecting to a
> remote ciscoASA.
> SA's seem up.
> 
> I can't get traffic to the other side (host on 192.168.211.2 or .12):
> 
> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24
> 
> 
> ping 192.168.211.2
> PING 192.168.211.2 (192.168.211.2) 56(84) bytes of data.
> From xxx.xxx.39.68 icmp_seq=1 Destination Host Unreachable
> From xxx.xxx.39.68 icmp_seq=2 Destination Host Unreachable
> From xxx.xxx.39.68 icmp_seq=3 Destination Host Unreachable
> 
> name.secrets:
> : PSK abcdefghij
> 
> ipsec.conf:
> config setup
>       protostack=netkey
> 
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10,%v4:192.168.211.0/24
> 
> conn net1
>      also=tunnel1
>      leftsubnet=192.168.1.0/24
>      leftsourceip=192.168.1.2
>      rightsubnet=192.168.211.0/24
>      rightsourceip=192.168.211.2
>      auto=start
> 
> 
> conn tunnel1
>       left=xxx.xxx.39.68
>       right=yyy.yyy.13.34
>       authby=secret
>       leftid=xxx.xxx.39.68
>       ike=aes256-sha256;modp2048
>       phase2alg=aes256-sha2_256;modp2048
>       salifetime=8h
>       ikelifetime=8h
>       type=tunnel
>       auto=start
> 
> 
> ip route:
> default via xxx.xxx.39.78 dev eth4
> 192.168.1.0/24 dev eth1  proto kernel  scope link  src 192.168.1.2
> 192.168.2.0/24 dev eth2  proto kernel  scope link  src 192.168.2.2
> 192.168.3.0/24 dev eth3  proto kernel  scope link  src 192.168.3.2
> 192.168.211.0/24 dev eth4  scope link  src 192.168.1.2
> xxx.xxx.39.64/28 dev eth4  proto kernel  scope link  src xxx.xxx.39.68
> 
> 
> ipsec status:
> 000 interface eth4/eth4 xxx.xxx.39.68 at 4500
> 000 interface eth4/eth4 xxx.xxx.39.68 at 500
> 000
> 000
> 000 fips mode=disabled;
> 000 SElinux=disabled
> 000
> 000 config setup options:
> 000
> 000 configdir=/etc, configfile=/etc/ipsec.conf,
> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d,
> dumpdir=/var/run/pluto/, statsbin=unset
> 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
> 000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
> 000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s,
> xfrmlifetime=300s
> 000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, 
> ddos-mode=auto
> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>,
> nflog-all=0
> 000 secctx-attr-type=32001
> 000 myid = (none)
> 000 debug none
> 000
> 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
> 000 virtual-private (%priv):
> 000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
> 25.0.0.0/8, 100.64.0.0/10, fd00::/8, fe80::/10, 192.168.211.0/24
> ....snip....
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,64}
> trans={0,4,6144} attrs={0,4,4096}
> 000
> 000 Connection list:
> 000
> 000 "net1":
> 192.168.1.0/24===xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>===192.168.211.0/24;
> erouted; eroute owner: #3
> 000 "net1":     oriented; my_ip=192.168.1.2; their_ip=192.168.211.2
> 000 "net1":   xauth info: us:none, them:none,  my_xauthuser=[any];
> their_xauthuser=[any]
> 000 "net1":   modecfg info: us:none, them:none, modecfg policy:push,
> dns1:unset, dns2:unset, domain:unset, banner:unset;
> 000 "net1":   labeled_ipsec:no;
> 000 "net1":   policy_label:unset;
> 000 "net1":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "net1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
> 000 "net1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
> send_vendorid:no;
> 000 "net1":   policy:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
> 000 "net1":   conn_prio: 24,24; interface: eth4; metric: 0; mtu:
> unset; sa_prio:auto; nflog-group: unset;
> 000 "net1":   newest ISAKMP SA: #1; newest IPsec SA: #3;
> 000 "net1":   IKE algorithms wanted: 
> AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
> 000 "net1":   IKE algorithms found:  
> AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
> 000 "net1":   IKE algorithm newest: AES_CBC_256-SHA2_256-MODP2048
> 000 "net1":   ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000;
> pfsgroup=MODP2048(14)
> 000 "net1":   ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
> 000 "net1":   ESP algorithm newest: AES_256-HMAC_SHA2_256; 
> pfsgroup=MODP2048
> 000 "tunnel1":
> xxx.xxx.39.68<xxx.xxx.39.68>...yyy.yyy.13.34<yyy.yyy.13.34>;
> prospective erouted; eroute owner: #0
> 000 "tunnel1":     oriented; my_ip=unset; their_ip=unset
> 000 "tunnel1":   xauth info: us:none, them:none,  my_xauthuser=[any];
> their_xauthuser=[any]
> 000 "tunnel1":   modecfg info: us:none, them:none, modecfg
> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
> 000 "tunnel1":   labeled_ipsec:no;
> 000 "tunnel1":   policy_label:unset;
> 000 "tunnel1":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 0;
> 000 "tunnel1":   retransmit-interval: 500ms; retransmit-timeout: 60s;
> 000 "tunnel1":   sha2_truncbug:no; initial_contact:no; cisco_unity:no;
> send_vendorid:no;
> 000 "tunnel1":   policy:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
> 000 "tunnel1":   conn_prio: 32,32; interface: eth4; metric: 0; mtu:
> unset; sa_prio:auto; nflog-group: unset;
> 000 "tunnel1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "tunnel1":   IKE algorithms wanted:
> AES_CBC(7)_256-SHA2_256(4)_000-MODP2048(14)
> 000 "tunnel1":   IKE algorithms found:
> AES_CBC(7)_256-SHA2_256(4)_256-MODP2048(14)
> 000 "tunnel1":   ESP algorithms wanted: AES(12)_256-SHA2_256(5)_000;
> pfsgroup=MODP2048(14)
> 000 "tunnel1":   ESP algorithms loaded: AES(12)_256-SHA2_256(5)_000
> 000
> 000 Total IPsec connections: loaded 2, active 1
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE 
> connections
> 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), 
> anonymous(0)
> 000 IPsec SAs: total(1), authenticated(1), anonymous(0)
> 000
> 000 #3: "net1":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 24758s; newest IPSEC; eroute owner; isakmp#1;
> idle; import:admin initiate
> 000 #3: "net1" esp.c4b958dc at yyy.yyy.13.34 esp.76871e94 at xxx.xxx.39.68
> tun.0 at yyy.yyy.13.34 tun.0 at xxx.xxx.39.68 ref=0 refhim=4294901761
> Traffic: ESPout=2KB ESPin=4KB! ESPmax=4194303B
> 000 #1: "net1":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 24517s; newest ISAKMP; lastdpd=-1s(seq in:0
> out:0); idle; import:admin initiate
> 000
> 
> 
> pluto.log:
> May 10 15:36:27: loading secrets from "/etc/ipsec.d/name.secrets"
> May 10 15:36:27: "net1" #1: initiating Main Mode
> May 10 15:36:27: "net1" #1: received Vendor ID payload [XAUTH]
> May 10 15:36:27: "net1" #1: received Vendor ID payload [Dead Peer 
> Detection]
> May 10 15:36:27: "net1" #1: received Vendor ID payload [Cisco-Unity]
> May 10 15:36:27: "net1" #1: received Vendor ID payload [FRAGMENTATION 
> 80000000]
> May 10 15:36:27: "net1" #1: received Vendor ID payload [RFC 3947]
> May 10 15:36:27: "net1" #1: enabling possible NAT-traversal with
> method RFC 3947 (NAT-Traversal)
> May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I1 to
> state STATE_MAIN_I2
> May 10 15:36:27: "net1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> May 10 15:36:27: "net1" #1: NAT-Traversal: Result using RFC 3947
> (NAT-Traversal) sender port 500: no NAT detected
> May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I2 to
> state STATE_MAIN_I3
> May 10 15:36:27: "net1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> May 10 15:36:27: "net1" #1: Main mode peer ID is ID_IPV4_ADDR: 
> 'yyy.yyy.13.34'
> May 10 15:36:27: "net1" #1: transition from state STATE_MAIN_I3 to
> state STATE_MAIN_I4
> May 10 15:36:27: "net1" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=PRESHARED_KEY cipher=aes_256 integ=OAKLEY_SHA2_256
> group=MODP2048}
> May 10 15:36:27: "tunnel1" #2: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> {using isakmp#1 msgid:bfa97f53 proposal=AES(12)_256-SHA2_256(5)_000
> pfsgroup=OAKLEY_GROUP_MODP2048}
> May 10 15:36:27: "net1" #3: initiating Quick Mode
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
> {using isakmp#1 msgid:70ad6cf8 proposal=AES(12)_256-SHA2_256(5)_000
> pfsgroup=OAKLEY_GROUP_MODP2048}
> May 10 15:36:27: "net1" #1: ignoring informational payload
> INVALID_ID_INFORMATION, msgid=00000000, length=16
> May 10 15:36:27: | ISAKMP Notification Payload
> May 10 15:36:27: |   00 00 00 10  00 00 00 01  03 04 00 12
> May 10 15:36:27: "net1" #1: received and ignored informational message
> May 10 15:36:27: "net1" #3: transition from state STATE_QUICK_I1 to
> state STATE_QUICK_I2
> May 10 15:36:27: "net1" #3: STATE_QUICK_I2: sent QI2, IPsec SA
> established tunnel mode {ESP=>0xc4b958dc <0x76871e94
> xfrm=AES_256-HMAC_SHA2_256 NATOA=none NATD=none DPD=passive}
> May 10 15:36:27: "net1" #1: received 1 malformed payload notifies
> May 10 15:36:28: "net1" #1: received 2 malformed payload notifies
> May 10 15:36:29: "net1" #1: received 3 malformed payload notifies
> May 10 15:36:31: "net1" #1: received 4 malformed payload notifies
> May 10 15:36:35: "net1" #1: received 5 malformed payload notifies
> May 10 15:36:43: "net1" #1: received 6 malformed payload notifies
> May 10 15:36:59: "net1" #1: received 7 malformed payload notifies
> May 10 15:37:31: "tunnel1" #2: max number of retransmissions (8)
> reached STATE_QUICK_I1.  No acceptable response to our first Quick
> Mode message: perhaps peer likes no proposal
> May 10 15:37:31: "tunnel1" #2: deleting state #2 (STATE_QUICK_I1)
> May 10 15:55:24: forgetting secrets
> May 10 15:55:24: loading secrets from "/etc/ipsec.secrets"
> May 10 15:55:24: loading secrets from "/etc/ipsec.d/name.secrets"
> 
> 
> logging on pfSense side:
> 
> May 10 15:36:59   charon: 06[NET] sending packet: from
> yyy.yyy.13.34[500] to xxx.xxx.39.68[500] (92 bytes)
> May 10 15:36:59   charon: 06[NET] <con1000|10> sending packet: from
> yyy.yyy.13.34[500] to xxx.xxx.39.68[500] (92 bytes)
> May 10 15:36:59   charon: 06[IKE] QUICK_MODE request with message ID
> 1400875455 processing failed
> May 10 15:36:59   charon: 06[IKE] <con1000|10> QUICK_MODE request with
> message ID 1400875455 processing failed
> May 10 15:36:59   charon: 04[NET] sending packet: from
> yyy.yyy.13.34[500] to xxx.xxx.39.68[500]
> May 10 15:36:59   charon: 04[NET] sending packet: from
> yyy.yyy.13.34[500] to xxx.xxx.39.68[500]
> May 10 15:36:59   charon: 06[MGR] checkin IKE_SA con1000[10]
> May 10 15:36:59   charon: 06[MGR] <con1000|10> checkin IKE_SA 
> con1000[10]
> May 10 15:36:59   charon: 06[MGR] check-in of IKE_SA successful.
> May 10 15:36:59   charon: 06[MGR] <con1000|10> check-in of IKE_SA 
> successful.
> May 10 15:37:27   charon: 05[CFG] vici client 2 connected
> 
> Anything obvious i'm missing?
> 
> thx,
> 
> Frank
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list