[Swan] Libreswan to Cisco2921, sha2_256 (ikev1&ikev2), tunnel is up but cannot ping (with and without source ip)

Satavee Junwana satavee at gmail.com
Thu Aug 4 11:54:20 UTC 2016


another thing, it is working file for sha1.

Best Regards,
Satavee

On Thu, Aug 4, 2016 at 2:51 PM, Satavee Junwana <satavee at gmail.com> wrote:

> I've tested on libreswan 3.3,3.7 (centos5) and 3.15 (centos 6) but no luck.
>
> Here is config, ipsec status and log during negotiation-
>
> Config-
>
> version 2.0
> config setup
>        # plutodebug / klipsdebug = "all", "none" or a combation from below:
>        # "raw crypt parsing emitting control klips pfkey natt x509 private"
>        # eg: plutodebug="control parsing"
>        #
>        # ONLY enable plutodebug=all or klipsdebug=all if you are a
> developer !!
>        nat_traversal=yes
>        nhelpers=1
>        oe=off
>        protostack=klips
>        plutorestartoncrash=no
>        plutostderrlog=/tmp/pluto.log
> #Default-Connection:
> conn %default
>        keyingtries=3
>        ikev2=yes
> conn ppp1_DC
>        type=tunnel
>        rightid=107.25.23.119
>        right=107.25.23.119
>        rekey=yes
>        phase2alg=aes128-sha2_256
>        phase2=esp
>        pfs=no
>        #overridemtu=1410
>        leftsubnet="192.168.19.0/24"
>        leftsourceip=192.168.19.1
>        left=%ppp1
>        keylife=8h
>        initial_contact=yes
>        ikelifetime=24h
>        ike=aes128-sha2_256-modp1536
>        compress=no
>        authby=secret
>        aggrmode=no
>
> Ipsec status -
>
> 000 using kernel interface: klips
> 000 interface ipsec0/ppp1 101.15.115.253
> 000 interface ipsec0/ppp1 101.15.115.253
> 000
> 000 fips mode=disabled;
> 000 SElinux=disabled
> 000
> 000 config setup options:
> 000
> 000 configdir=/etc, configfile=/etc/ipsec.conf,
> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto,
> statsbin=unset
> 000 sbindir=/usr/sbin, libdir=/usr/libexec/ipsec,
> libexecdir=/usr/libexec/ipsec
> 000 pluto_version=3.7, pluto_vendorid=OE-Libreswan-3.7
> 000 nhelpers=1, uniqueids=yes, retransmits=yes, force_busy=no
> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>
> 000 secctx_attr_value=32001
> 000 myid = (none)
> 000 debug none
> 000
> 000 nat_traversal=yes, keep_alive=20, nat_ikeport=4500,
> disable_port_floating=no
> 000 virtual_private (%priv):
> 000 - allowed 0 subnets:
> 000 - disallowed 0 subnets:
> 000 WARNING: Either virtual_private= is not specified, or there is a
> syntax
> 000          error in that line. 'left/rightsubnet=vhost:%priv' will not
> work!
> 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
> 000          private address space in internal use, it should be excluded!
> 000
> 000 ESP algorithms supported:
> 000
> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> keysizemax=64
> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
> keysizemax=192
> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128,
> keysizemax=128
> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=64,
> keysizemin=96, keysizemax=448
> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=16, keysizemin=128,
> keysizemax=256
> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128,
> keysizemin=128, keysizemax=256
> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> keysizemin=128, keysizemax=128
> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> keysizemin=160, keysizemax=160
> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> keysizemin=256, keysizemax=256
> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> keysizemin=512, keysizemax=512
> 000
> 000 IKE algorithms supported:
> 000
> 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
> v2name=3DES, blocksize=8, keydeflen=192
> 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
> v2name=AES_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
> v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
> v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
> 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
> v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> 000
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
> trans={0,3,864} attrs={0,3,1152}
> 000
> 000 Connection list:
> 000
> 000 "ppp1_DC192": 192.168.19.0/24===101.15.115.253
> <%ppp1>...107.25.23.119<107.25.23.119>===10.0.0.0/8; erouted; eroute
> owner: #2
> 000 "ppp1_DC192":     oriented; my_ip=192.168.19.1; their_ip=unset;
> 000 "ppp1_DC192":   xauth info: us:none, them:none,  my_xauthuser=[any];
> their_xauthuser=[any]; ;
> 000 "ppp1_DC192":   modecfg info: us:none, them:none, modecfg policy:push,
> dns1:unset, dns2:unset, domain:unset, banner:unset;
> 000 "ppp1_DC192":   labeled_ipsec:no, loopback:no;
> 000 "ppp1_DC192":    policy_label:unset;
> 000 "ppp1_DC192":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin:
> 540s; rekey_fuzz: 100%; keyingtries: 3;
> 000 "ppp1_DC192":   sha2_truncbug:no; initial_contact:yes; cisco_unity:no;
> send_vendorid:no;
> 000 "ppp1_DC192":   policy:
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+IKEv2Init+SAREFTRACK+IKE_FRAG;
> 000 "ppp1_DC192":   conn_prio: 24,8; interface: ppp1; metric: 0; mtu:
> unset; sa_prio:auto;
> 000 "ppp1_DC192":   newest ISAKMP SA: #1; newest IPsec SA: #2;
> 000 "ppp1_DC192":   IKE algorithms wanted:
> AES_CBC(7)_128-SHA2_256(4)_000-MODP1536(5)
> 000 "ppp1_DC192":   IKE algorithms found:
>  AES_CBC(7)_128-SHA2_256(4)_256-MODP1536(5)
> 000 "ppp1_DC192":   IKEv2 algorithm newest:
> AES_CBC_128-AUTH_HMAC_SHA2_256_128-PRF_HMAC_SHA2-256-MODP1536
> 000 "ppp1_DC192":   ESP algorithms wanted: AES(12)_128-SHA2_256(5)_000
> 000 "ppp1_DC192":   ESP algorithms loaded: AES(12)_128-SHA2_256(5)_256
> 000 "ppp1_DC192":   ESP algorithm newest: AES_128-HMAC_SHA2_256;
> pfsgroup=<N/A>
> 000
> 000 Total IPsec connections: loaded 1, active 1
> 000
> 000 State list:
> 000
> 000 #2: "ppp1_DC192":500 STATE_PARENT_I3 (PARENT SA established);
> EVENT_SA_REPLACE in 27777s; newest IPSEC; eroute owner; idle; import:admin
> initiate
> 000 #1: "ppp1_DC192":500 STATE_PARENT_I3 (PARENT SA established);
> EVENT_SA_REPLACE in 86369s; newest ISAKMP; idle; import:admin initiate
> 000
> 000 Shunt list:
> 000
>
> Log-
> 2016-08-04T11:52:07.185568+07:00 pluto[15179]: listening for IKE messages
> 2016-08-04T11:52:07.185568+07:00 pluto[15179]: adding interface
> ipsec0/ppp1 101.15.115.253:500
> 2016-08-04T11:52:07.185568+07:00 pluto[15179]: adding interface
> ipsec0/ppp1 101.15.115.253:4500
> 2016-08-04T11:52:07.185568+07:00 pluto[15179]: forgetting secrets
> 2016-08-04T11:52:07.185568+07:00 pluto[15179]: loading secrets from
> "/etc/ipsec.secrets"
> 2016-08-04T11:52:07.605113+07:00 pluto[15179]: added connection
> description "ppp1_DC192"
> 2016-08-04T11:52:07.721381+07:00 pluto[15179]: "ppp1_DC192" #1: initiating
> v2 parent SA
> 2016-08-04T11:52:07.761597+07:00 pluto[15179]: "ppp1_DC192" #1: transition
> from state STATE_IKEv2_START to state STATE_PARENT_I1
> 2016-08-04T11:52:07.761597+07:00 pluto[15179]: "ppp1_DC192" #1:
> STATE_PARENT_I1: sent v2I1, expected v2R1
> 2016-08-04T11:52:07.928538+07:00 pluto[15179]: "ppp1_DC192" #2: transition
> from state STATE_PARENT_I1 to state STATE_PARENT_I2
> 2016-08-04T11:52:07.929458+07:00 pluto[15179]: "ppp1_DC192" #2:
> STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128
> integ=sha256_128 prf=OAKLEY_SHA2_256 group=modp1536}
> 2016-08-04T11:52:07.995450+07:00 pluto[15179]: packet from
> 107.25.23.119:500: IKEv2 mode peer ID is ID_IPV4_ADDR: '107.25.23.119'
> 2016-08-04T11:52:07.998515+07:00 pluto[15179]: | printing contents struct
> traffic_selector
> 2016-08-04T11:52:07.999124+07:00 pluto[15179]: |   ts_type:
> IKEv2_TS_IPV4_ADDR_RANGE
> 2016-08-04T11:52:07.999660+07:00 pluto[15179]: |   ipprotoid: 0
> 2016-08-04T11:52:08.000163+07:00 pluto[15179]: |   startport: 0
> 2016-08-04T11:52:08.000660+07:00 pluto[15179]: |   endport: 65535
> 2016-08-04T11:52:08.001178+07:00 pluto[15179]: |   ip low: 192.168.19.0
> 2016-08-04T11:52:08.001517+07:00 pluto[15179]: |   ip high: 192.168.19.255
> 2016-08-04T11:52:08.002388+07:00 pluto[15179]: | printing contents struct
> traffic_selector
> 2016-08-04T11:52:08.002937+07:00 pluto[15179]: |   ts_type:
> IKEv2_TS_IPV4_ADDR_RANGE
> 2016-08-04T11:52:08.003475+07:00 pluto[15179]: |   ipprotoid: 0
> 2016-08-04T11:52:08.003976+07:00 pluto[15179]: |   startport: 0
> 2016-08-04T11:52:08.004473+07:00 pluto[15179]: |   endport: 65535
> 2016-08-04T11:52:08.004932+07:00 pluto[15179]: |   ip low: 10.0.0.0
> 2016-08-04T11:52:08.005373+07:00 pluto[15179]: |   ip high: 10.255.255.255
> 2016-08-04T11:52:08.177293+07:00 pluto[15179]: packet from
> 107.25.23.119:500: up-client output: /usr/libexec/ipsec/_updown.klips:
> changesource "ip route change 10.0.0.0/8 dev ipsec0 src 192.168.19.1"
> failed (RTNETLINK answers: No such file or directory)
> 2016-08-04T11:52:08.436034+07:00 pluto[15179]: "ppp1_DC192" #2: transition
> from state STATE_PARENT_I2 to state STATE_PARENT_I3
> 2016-08-04T11:52:08.436034+07:00 pluto[15179]: "ppp1_DC192" #2: negotiated
> tunnel [192.168.19.0,192.168.19.255:0-65535 0] ->
> [10.0.0.0,10.255.255.255:0-65535 0]
> 2016-08-04T11:52:08.436034+07:00 pluto[15179]: "ppp1_DC192" #2:
> STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0x2d26ed88
> <0xf43c29bd xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none DPD=none}
> 2016-08-04T11:52:08.436034+07:00 pluto[15179]: | releasing whack for #2
> (sock=18)
> 2016-08-04T11:52:08.436034+07:00 pluto[15179]: | releasing whack and
> unpending for #1 (sock=17)
> 2016-08-04T11:52:09.120814+07:00 logger: ntp[0000]: no server suitable for
> synchronization found
> 2016-08-04T11:52:12.672228+07:00 logger: pppd[0000]: ppp1 ipsec
> conn:ppp1_DC192  Up
> 2016-08-04T11:52:14.653590+07:00 logger: ntp[0000]: no server suitable for
> synchronization found
> 2016-08-04T11:53:13.457204+07:00 pluto[15179]: listening for IKE messages
> 2016-08-04T11:53:13.457204+07:00 pluto[15179]: forgetting secrets
> 2016-08-04T11:53:13.457204+07:00 pluto[15179]: loading secrets from
> "/etc/ipsec.secrets"
> 2016-08-04T11:53:13.580613+07:00 pluto[15179]: "ppp1_DC192": deleting
> connection
> 2016-08-04T11:53:13.580717+07:00 pluto[15179]: "ppp1_DC192" #2: deleting
> state (STATE_PARENT_I3)
> 2016-08-04T11:53:13.699047+07:00 pluto[15179]: "ppp1_DC192" #2:
> down-client output: /usr/libexec/ipsec/_updown.klips: dorule "ip rule
> delete from 192.168.19.0/24 to 10.0.0.0/8 " failed (RTNETLINK answers: No
> such file or directory)
> 2016-08-04T11:53:13.708746+07:00 pluto[15179]: "ppp1_DC192" #1: deleting
> state (STATE_PARENT_I3)
> 2016-08-04T11:53:14.250259+07:00 pluto[15179]: added connection
> description "ppp1_DC192"
> 2016-08-04T11:53:14.364389+07:00 pluto[15179]: "ppp1_DC192" #3: initiating
> v2 parent SA
> 2016-08-04T11:53:14.406023+07:00 pluto[15179]: "ppp1_DC192" #3: transition
> from state STATE_IKEv2_START to state STATE_PARENT_I1
> 2016-08-04T11:53:14.406125+07:00 pluto[15179]: "ppp1_DC192" #3:
> STATE_PARENT_I1: sent v2I1, expected v2R1
> 2016-08-04T11:53:15.109380+07:00 pluto[15179]: "ppp1_DC192" #4: transition
> from state STATE_PARENT_I1 to state STATE_PARENT_I2
> 2016-08-04T11:53:15.113292+07:00 pluto[15179]: "ppp1_DC192" #4:
> STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_128
> integ=sha256_128 prf=OAKLEY_SHA2_256 group=modp1536}
> 2016-08-04T11:53:15.169082+07:00 pluto[15179]: packet from
> 107.25.23.119:500: IKEv2 mode peer ID is ID_IPV4_ADDR: '107.25.23.119'
> 2016-08-04T11:53:15.173375+07:00 pluto[15179]: | printing contents struct
> traffic_selector
> 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   ts_type:
> IKEv2_TS_IPV4_ADDR_RANGE
> 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   ipprotoid: 0
> 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   startport: 0
> 2016-08-04T11:53:15.173375+07:00 pluto[15179]: |   endport: 65535
> 2016-08-04T11:53:15.176186+07:00 pluto[15179]: |   ip low: 192.168.19.0
> 2016-08-04T11:53:15.176713+07:00 pluto[15179]: |   ip high: 192.168.19.255
> 2016-08-04T11:53:15.177243+07:00 pluto[15179]: | printing contents struct
> traffic_selector
> 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   ts_type:
> IKEv2_TS_IPV4_ADDR_RANGE
> 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   ipprotoid: 0
> 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   startport: 0
> 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   endport: 65535
> 2016-08-04T11:53:15.177243+07:00 pluto[15179]: |   ip low: 10.0.0.0
> 2016-08-04T11:53:15.179999+07:00 pluto[15179]: |   ip high: 10.255.255.255
> 2016-08-04T11:53:15.320392+07:00 pluto[15179]: packet from
> 107.25.23.119:500: up-client output: /usr/libexec/ipsec/_updown.klips:
> changesource "ip route change 10.0.0.0/8 dev ipsec0 src 192.168.19.1"
> failed (RTNETLINK answers: No such file or directory)
> 2016-08-04T11:53:15.576394+07:00 pluto[15179]: "ppp1_DC192" #4: transition
> from state STATE_PARENT_I2 to state STATE_PARENT_I3
> 2016-08-04T11:53:15.576501+07:00 pluto[15179]: "ppp1_DC192" #4: negotiated
> tunnel [192.168.19.0,192.168.19.255:0-65535 0] ->
> [10.0.0.0,10.255.255.255:0-65535 0]
> 2016-08-04T11:53:15.576579+07:00 pluto[15179]: "ppp1_DC192" #4:
> STATE_PARENT_I3: PARENT SA established tunnel mode {ESP=>0x9794fb91
> <0xf43c29be xfrm=AES_128-HMAC_SHA2_256 NATOA=none NATD=none DPD=none}
> 2016-08-04T11:53:15.576646+07:00 pluto[15179]: | releasing whack for #4
> (sock=18)
> 2016-08-04T11:53:15.576774+07:00 pluto[15179]: | releasing whack and
> unpending for #3 (sock=17)
>
>
> Best Regards,
> Satavee
> Sent via Iphone
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160804/5eda43f4/attachment-0001.html>


More information about the Swan mailing list