[Swan] Error with LibreSwan to Huawei VRP Connection
Nick Howitt
nick at howitts.co.uk
Wed Nov 2 07:22:27 UTC 2016
Don't have any blank lines in a conn definition.
On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes <ian.lidtech at gmail.com> wrote:
>Hi All,
>
>I'm having huge issues setting up an IPSec tunnel from a Libreswan
>system
>to Huawei VRP device and was hoping someone could assist me in
>pinpointing
>what the error is
>
>Here are the logs from the connection: http://pastebin.com/vCY5GLG0
>
>*Here is my ipsec.conf*
>#
>version 2.0 # conforms to second version of ipsec.conf specification
>
># basic configuration
>config setup
>nat_traversal=yes
>virtual_private=%v:10.0.0.0/16
>oe=off
>protostack=netkey
>interfaces=%defaultroute
>klipsdebug=none
>uniqueids=yes
>plutodebug="control parsing"
>plutostderrlog=/var/log/ipsec.log
>
>#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
>uncomment this.
>include /etc/ipsec.d/*.conf
>
>*Here is my host-prd.conf*
>conn host-prd
> ##### Local
> left=externalIP
>leftid=@LOCALID
> leftsubnet=externalIP/32
>leftnexthop=%defaultroute
>
> ##### Remote
>right=REMOTEIDIP
>rightid=REMOTEIDIP
> rightsubnets={172.25.48.43/32 172.25.48.36/32}
> rightnexthop=%defaultroute
>
>##### Auth Options
> authby=secret
> rekey=no
>aggrmode=no
>forceencaps=no
>
> ##### Phase 1
>ike=3des-md5-modp1024
> ikelifetime="28800"
>
> ##### Phase 2
> esp=3des-md5
> keylife="3600"
> pfs=no
>
> ##### Connection Options
> type=tunnel
> auto=start
> compress=no
>
>*Here is my ipsec.secrets*
>@LOCALID REMOTEIDIP : PSK "SOMEPSKHERE"
>
>*Here is an ipsec verify (SIDE NOTE: I cant find the errors?!)*
>Verifying installed system and configuration files
>
>Version check and ipsec on-path [OK]
>Libreswan 3.15 (netkey) on 2.6.32-504.16.2.el6.x86_64
>Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [OK]
> ICMP default/accept_redirects [OK]
> XFRM larval drop [OK]
>Pluto ipsec.conf syntax [OK]
>Hardware random device [N/A]
>Two or more interfaces found, checking IP forwarding [OK]
>Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
> rp_filter is not fully aware of IPsec and should be disabled
>Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for IKE/NAT-T on udp 4500 [OK]
> Pluto ipsec.secret syntax [OK]
>Checking 'ip' command [OK]
>Checking 'iptables' command [OK]
>Checking 'prelink' command does not interfere with FIPSChecking for
>obsolete ipsec.conf options [OK]
>Opportunistic Encryption [DISABLED]
>
>ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
>
>*Here is an ipsec status after a few minutes*
>000 using kernel interface: netkey
>000 interface lo/lo ::1 at 500
>000 interface lo/lo 127.0.0.1 at 4500
>000 interface lo/lo 127.0.0.1 at 500
>000 interface eth0/eth0 externalIP at 4500
>000 interface eth0/eth0 externalIP at 500
>000 interface eth1/eth1 10.0.64.10 at 4500
>000 interface eth1/eth1 10.0.64.10 at 500
>000
>000
>000 fips mode=disabled;
>000 SElinux=disabled
>000
>000 config setup options:
>000
>000 configdir=/etc, configfile=/etc/ipsec.conf,
>secrets=/etc/ipsec.secrets,
>ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto, statsbin=unset
>000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
>000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
>000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s,
>xfrmlifetime=300s
>000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000,
>ddos-mode=auto
>000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>,
>nflog-all=0
>000 secctx-attr-type=32001
>000 myid = (none)
>000 debug parsing+control
>000
>000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
>000 virtual-private (%priv):
>000
>000 ESP algorithms supported:
>000
>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>keysizemin=192,
>keysizemax=192
>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
>keysizemin=128,
>keysizemax=128
>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>keysizemax=0
>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>keysizemin=128,
>keysizemax=256
>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>keysizemin=128, keysizemax=256
>000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>keysizemin=128, keysizemax=128
>000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>keysizemin=160, keysizemax=160
>000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>keysizemin=256, keysizemax=256
>000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
>keysizemin=384, keysizemax=384
>000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
>keysizemin=512, keysizemax=512
>000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
>keysizemin=160, keysizemax=160
>000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
>keysizemin=128, keysizemax=128
>000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME,
>keysizemin=0, keysizemax=0
>000
>000 IKE algorithms supported:
>000
>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16,
>v2name=AES_CCM_C,
>blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15,
>v2name=AES_CCM_B,
>blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14,
>v2name=AES_CCM_A,
>blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
>v2name=3DES, blocksize=8, keydeflen=192
>000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR,
>v2id=24,
>v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23,
>v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20,
>v2name=AES_GCM_C, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19,
>v2name=AES_GCM_B, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18,
>v2name=AES_GCM_A, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
>v2name=AES_CTR, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
>v2name=AES_CBC, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
>v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
>v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
>000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
>v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
>000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
>bits=2048
>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
>bits=3072
>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
>bits=4096
>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
>bits=6144
>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
>bits=8192
>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>000
>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
>trans={0,2,6144} attrs={0,2,4096}
>000
>000 Connection list:
>000
>000 "host-prd/0x1":
>externalIP/32===externalIP<externalIP>[@LIDTECH]---defaultGW...REMOTEIDIP<REMOTEIDIP>===
>172.25.48.43/32; prospective erouted; eroute owner: #0
>000 "host-prd/0x1": oriented; my_ip=unset; their_ip=unset
>000 "host-prd/0x1": xauth info: us:none, them:none,
>my_xauthuser=[any];
>their_xauthuser=[any]
>000 "host-prd/0x1": modecfg info: us:none, them:none, modecfg
>policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
>000 "host-prd/0x1": labeled_ipsec:no;
>000 "host-prd/0x1": policy_label:unset;
>000 "host-prd/0x1": ike_life: 28800s; ipsec_life: 3600s;
>rekey_margin:
>540s; rekey_fuzz: 100%; keyingtries: 0;
>000 "host-prd/0x1": retransmit-interval: 500ms; retransmit-timeout:
>60s;
>000 "host-prd/0x1": sha2_truncbug:no; initial_contact:no;
>cisco_unity:no;
>send_vendorid:no;
>000 "host-prd/0x1": policy:
>PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>000 "host-prd/0x1": conn_prio: 32,32; interface: eth0; metric: 0;
>mtu:
>unset; sa_prio:auto; nflog-group: unset;
>000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
>000 "host-prd/0x1": aliases: host-prd
>000 "host-prd/0x1": IKE algorithms wanted:
>3DES_CBC(5)_000-MD5(1)_000-MODP1024(2)
>000 "host-prd/0x1": IKE algorithms found:
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
>000 "host-prd/0x1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000
>000 "host-prd/0x1": ESP algorithms loaded: 3DES(3)_000-MD5(1)_000
>000 "host-prd/0x2":
>externalIP/32===externalIP<externalIP>[@LIDTECH]---defaultGW...REMOTEIDIP<REMOTEIDIP>===
>172.25.48.36/32; prospective erouted; eroute owner: #0
>000 "host-prd/0x2": oriented; my_ip=unset; their_ip=unset
>000 "host-prd/0x2": xauth info: us:none, them:none,
>my_xauthuser=[any];
>their_xauthuser=[any]
>000 "host-prd/0x2": modecfg info: us:none, them:none, modecfg
>policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
>000 "host-prd/0x2": labeled_ipsec:no;
>000 "host-prd/0x2": policy_label:unset;
>000 "host-prd/0x2": ike_life: 28800s; ipsec_life: 3600s;
>rekey_margin:
>540s; rekey_fuzz: 100%; keyingtries: 0;
>000 "host-prd/0x2": retransmit-interval: 500ms; retransmit-timeout:
>60s;
>000 "host-prd/0x2": sha2_truncbug:no; initial_contact:no;
>cisco_unity:no;
>send_vendorid:no;
>000 "host-prd/0x2": policy:
>PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>000 "host-prd/0x2": conn_prio: 32,32; interface: eth0; metric: 0;
>mtu:
>unset; sa_prio:auto; nflog-group: unset;
>000 "host-prd/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0;
>000 "host-prd/0x2": aliases: host-prd
>000 "host-prd/0x2": IKE algorithms wanted:
>3DES_CBC(5)_000-MD5(1)_000-MODP1024(2)
>000 "host-prd/0x2": IKE algorithms found:
> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
>000 "host-prd/0x2": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000
>000 "host-prd/0x2": ESP algorithms loaded: 3DES(3)_000-MD5(1)_000
>000
>000 Total IPsec connections: loaded 2, active 0
>000
>000 State Information: DDoS cookies not required, Accepting new IKE
>connections
>000 IKE SAs: total(0), half-open(0), open(0), authenticated(0),
>anonymous(0)
>000 IPsec SAs: total(0), authenticated(0), anonymous(0)
>000
>000 Bare Shunt list:
>000
>
>*Here is the last part of an ipsec status before the connection "times
>out":*
>
>000 #1: "host-prd/0x2":500 STATE_MAIN_I3 (sent MI3, expecting MR3);
>EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin initiate
>000 #1: pending Phase 2 for "mtn-ug-prd/0x1" replacing #0
>000 #1: pending Phase 2 for "mtn-ug-prd/0x2" replacing #0
>
>My suspicion is that this is a misconfiguration on their end, but not
>sure
>what though...
>
>Any advice would be great - thanks in advance
>
>Ian
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Swan mailing list
>Swan at lists.libreswan.org
>https://lists.libreswan.org/mailman/listinfo/swan
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161102/818a7041/attachment-0001.html>
More information about the Swan
mailing list