[Swan] Error with LibreSwan to Huawei VRP Connection
Ian Barnes
ian.lidtech at gmail.com
Wed Nov 2 07:31:37 UTC 2016
Hi Nick,
Great thanks for the feedback. I've removed all spaces and am seeing the
same result. I'm awaiting some logs from the remote which I'll forward on
as soon as I get it.
Regards
Ian
On Wed, Nov 2, 2016 at 9:22 AM, Nick Howitt <nick at howitts.co.uk> wrote:
> Don't have any blank lines in a conn definition.
>
> On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes <ian.lidtech at gmail.com>
> wrote:
>
>> Hi All,
>>
>> I'm having huge issues setting up an IPSec tunnel from a Libreswan system
>> to Huawei VRP device and was hoping someone could assist me in pinpointing
>> what the error is
>>
>> Here are the logs from the connection: http://pastebin.com/vCY5GLG0
>>
>> *Here is my ipsec.conf*
>> #
>> version 2.0 # conforms to second version of ipsec.conf specification
>>
>> # basic configuration
>> config setup
>> nat_traversal=yes
>> virtual_private=%v:10.0.0.0/16
>> oe=off
>> protostack=netkey
>> interfaces=%defaultroute
>> klipsdebug=none
>> uniqueids=yes
>> plutodebug="control parsing"
>> plutostderrlog=/var/log/ipsec.log
>>
>> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
>> uncomment this.
>> include /etc/ipsec.d/*.conf
>>
>> *Here is my host-prd.conf*
>> conn host-prd
>> ##### Local
>> left=externalIP
>> leftid=@LOCALID
>> leftsubnet=externalIP/32
>> leftnexthop=%defaultroute
>>
>> ##### Remote
>> right=REMOTEIDIP
>> rightid=REMOTEIDIP
>> rightsubnets={172.25.48.43/32 172.25.48.36/32}
>> rightnexthop=%defaultroute
>>
>> ##### Auth Options
>> authby=secret
>> rekey=no
>> aggrmode=no
>> forceencaps=no
>>
>> ##### Phase 1
>> ike=3des-md5-modp1024
>> ikelifetime="28800"
>>
>> ##### Phase 2
>> esp=3des-md5
>> keylife="3600"
>> pfs=no
>>
>> ##### Connection Options
>> type=tunnel
>> auto=start
>> compress=no
>>
>> *Here is my ipsec.secrets*
>> @LOCALID REMOTEIDIP : PSK "SOMEPSKHERE"
>>
>> *Here is an ipsec verify (SIDE NOTE: I cant find the errors?!)*
>> Verifying installed system and configuration files
>>
>> Version check and ipsec on-path [OK]
>> Libreswan 3.15 (netkey) on 2.6.32-504.16.2.el6.x86_64
>> Checking for IPsec support in kernel [OK]
>> NETKEY: Testing XFRM related proc values
>> ICMP default/send_redirects [OK]
>> ICMP default/accept_redirects [OK]
>> XFRM larval drop [OK]
>> Pluto ipsec.conf syntax [OK]
>> Hardware random device [N/A]
>> Two or more interfaces found, checking IP forwarding [OK]
>> Checking rp_filter [ENABLED]
>> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
>> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
>> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
>> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
>> rp_filter is not fully aware of IPsec and should be disabled
>> Checking that pluto is running [OK]
>> Pluto listening for IKE on udp 500 [OK]
>> Pluto listening for IKE/NAT-T on udp 4500 [OK]
>> Pluto ipsec.secret syntax [OK]
>> Checking 'ip' command [OK]
>> Checking 'iptables' command [OK]
>> Checking 'prelink' command does not interfere with FIPSChecking for
>> obsolete ipsec.conf options [OK]
>> Opportunistic Encryption [DISABLED]
>>
>> ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
>>
>> *Here is an ipsec status after a few minutes*
>> 000 using kernel interface: netkey
>> 000 interface lo/lo ::1 at 500
>> 000 interface lo/lo 127.0.0.1 at 4500
>> 000 interface lo/lo 127.0.0.1 at 500
>> 000 interface eth0/eth0 externalIP at 4500
>> 000 interface eth0/eth0 externalIP at 500
>> 000 interface eth1/eth1 10.0.64.10 at 4500
>> 000 interface eth1/eth1 10.0.64.10 at 500
>> 000
>> 000
>> 000 fips mode=disabled;
>> 000 SElinux=disabled
>> 000
>> 000 config setup options:
>> 000
>> 000 configdir=/etc, configfile=/etc/ipsec.conf,
>> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto,
>> statsbin=unset
>> 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
>> 000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
>> 000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s,
>> xfrmlifetime=300s
>> 000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
>> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>,
>> nflog-all=0
>> 000 secctx-attr-type=32001
>> 000 myid = (none)
>> 000 debug parsing+control
>> 000
>> 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
>> 000 virtual-private (%priv):
>> 000
>> 000 ESP algorithms supported:
>> 000
>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
>> keysizemax=192
>> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
>> keysizemax=128
>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
>> keysizemax=0
>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
>> keysizemax=256
>> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> keysizemin=128, keysizemax=256
>> 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> keysizemin=128, keysizemax=128
>> 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> keysizemin=160, keysizemax=160
>> 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> keysizemin=256, keysizemax=256
>> 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
>> keysizemin=384, keysizemax=384
>> 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
>> keysizemin=512, keysizemax=512
>> 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
>> keysizemin=160, keysizemax=160
>> 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
>> keysizemin=128, keysizemax=128
>> 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME,
>> keysizemin=0, keysizemax=0
>> 000
>> 000 IKE algorithms supported:
>> 000
>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C,
>> blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B,
>> blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A,
>> blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
>> v2name=3DES, blocksize=8, keydeflen=192
>> 000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24,
>> v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23,
>> v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20,
>> v2name=AES_GCM_C, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19,
>> v2name=AES_GCM_B, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18,
>> v2name=AES_GCM_A, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
>> v2name=AES_CTR, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
>> v2name=AES_CBC, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
>> v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
>> v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
>> 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
>> v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
>> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
>> 000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>> 000
>> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
>> trans={0,2,6144} attrs={0,2,4096}
>> 000
>> 000 Connection list:
>> 000
>> 000 "host-prd/0x1": externalIP/32===externalIP<externalIP>[@LIDTECH]---
>> defaultGW...REMOTEIDIP<REMOTEIDIP>===172.25.48.43/32; prospective
>> erouted; eroute owner: #0
>> 000 "host-prd/0x1": oriented; my_ip=unset; their_ip=unset
>> 000 "host-prd/0x1": xauth info: us:none, them:none,
>> my_xauthuser=[any]; their_xauthuser=[any]
>> 000 "host-prd/0x1": modecfg info: us:none, them:none, modecfg
>> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
>> 000 "host-prd/0x1": labeled_ipsec:no;
>> 000 "host-prd/0x1": policy_label:unset;
>> 000 "host-prd/0x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
>> 540s; rekey_fuzz: 100%; keyingtries: 0;
>> 000 "host-prd/0x1": retransmit-interval: 500ms; retransmit-timeout: 60s;
>> 000 "host-prd/0x1": sha2_truncbug:no; initial_contact:no;
>> cisco_unity:no; send_vendorid:no;
>> 000 "host-prd/0x1": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+
>> UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>> 000 "host-prd/0x1": conn_prio: 32,32; interface: eth0; metric: 0; mtu:
>> unset; sa_prio:auto; nflog-group: unset;
>> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "host-prd/0x1": aliases: host-prd
>> 000 "host-prd/0x1": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-
>> MODP1024(2)
>> 000 "host-prd/0x1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-
>> MODP1024(2)
>> 000 "host-prd/0x1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000
>> 000 "host-prd/0x1": ESP algorithms loaded: 3DES(3)_000-MD5(1)_000
>> 000 "host-prd/0x2": externalIP/32===externalIP<externalIP>[@LIDTECH]---
>> defaultGW...REMOTEIDIP<REMOTEIDIP>===172.25.48.36/32; prospective
>> erouted; eroute owner: #0
>> 000 "host-prd/0x2": oriented; my_ip=unset; their_ip=unset
>> 000 "host-prd/0x2": xauth info: us:none, them:none,
>> my_xauthuser=[any]; their_xauthuser=[any]
>> 000 "host-prd/0x2": modecfg info: us:none, them:none, modecfg
>> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
>> 000 "host-prd/0x2": labeled_ipsec:no;
>> 000 "host-prd/0x2": policy_label:unset;
>> 000 "host-prd/0x2": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
>> 540s; rekey_fuzz: 100%; keyingtries: 0;
>> 000 "host-prd/0x2": retransmit-interval: 500ms; retransmit-timeout: 60s;
>> 000 "host-prd/0x2": sha2_truncbug:no; initial_contact:no;
>> cisco_unity:no; send_vendorid:no;
>> 000 "host-prd/0x2": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+
>> UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
>> 000 "host-prd/0x2": conn_prio: 32,32; interface: eth0; metric: 0; mtu:
>> unset; sa_prio:auto; nflog-group: unset;
>> 000 "host-prd/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> 000 "host-prd/0x2": aliases: host-prd
>> 000 "host-prd/0x2": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-
>> MODP1024(2)
>> 000 "host-prd/0x2": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-
>> MODP1024(2)
>> 000 "host-prd/0x2": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000
>> 000 "host-prd/0x2": ESP algorithms loaded: 3DES(3)_000-MD5(1)_000
>> 000
>> 000 Total IPsec connections: loaded 2, active 0
>> 000
>> 000 State Information: DDoS cookies not required, Accepting new IKE
>> connections
>> 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0),
>> anonymous(0)
>> 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
>> 000
>> 000 Bare Shunt list:
>> 000
>>
>> *Here is the last part of an ipsec status before the connection "times
>> out":*
>>
>> 000 #1: "host-prd/0x2":500 STATE_MAIN_I3 (sent MI3, expecting MR3);
>> EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin initiate
>> 000 #1: pending Phase 2 for "mtn-ug-prd/0x1" replacing #0
>> 000 #1: pending Phase 2 for "mtn-ug-prd/0x2" replacing #0
>>
>> My suspicion is that this is a misconfiguration on their end, but not
>> sure what though...
>>
>> Any advice would be great - thanks in advance
>>
>> Ian
>>
>> ------------------------------
>>
>> Swan mailing list
>> Swan at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan
>>
>>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161102/f3d1efc7/attachment-0001.html>
More information about the Swan
mailing list