[Swan] Error with LibreSwan to Huawei VRP Connection
Nick Howitt
nick at howitts.co.uk
Sun Nov 6 14:49:03 UTC 2016
Hi Ian,
Sorry to have abandoned you. I was away for a bit and the post is
impossible to read on a phone.
I don't know how much I can help as I am not sure if this is a
subnet-subnet connection or one of the new VTI connections. If it is
VTI, I can't begin to help.
One thing I have noticed is a mismatch in the phase2 configuration. You
are demanding md5 and they are configured to send sha1. I think it is
odd that they use md5 for phase1 and sha1 for phase 2 but there is
noting wrong with it. You could open your end to accept sha1 or both or
get them to change their end.
Their log is also complaining of "localid-1-25 missing". Do you need to
set them at all? They generally default to the local WAN IP.
Nick
On 02/11/2016 19:39, Ian Barnes wrote:
> Hi All,
>
> I've got a breakdown of the configs from the remote end:
> ACL name LOCALID
> rule permit ip source 172.25.48.43 0 destination 10.0.64.66 0
> rule permit ip source 172.25.48.36 0 destination 10.0.64.66
> rule permit ip source 172.25.48.43 0 destination 10.0.64.1
> rule permit ip source 172.25.48.36 0 destination 10.0.64.1
> rule permit ip source 172.25.48.43 0 destination 10.0.64.10
> rule permit ip source 172.25.48.36 0 destination 10.0.64.10
> rule permit ip source 172.25.48.43 0 destination 10.0.64.201
> rule permit ip source 172.25.48.36 0 destination 10.0.64.201
>
> Ike Proposal 10
> encryption-algorithm 3des
> authentication-algorithm md5
> dh-group2
> sa duration 28800
>
> ike peer LOCALID
> pre-shared key "SOMEPSKHERE"
> ike-proposal 10
> remote-address externalIP
>
> remote-id LOCALID
> Local-id-type ip
>
> ipsec proposal LOCALID
> encapsulation-mode tunnel
> esp authentication-algorithm sha1
> esp encryption-algorithm 3des
>
> ipsec policy LOCALID 1 isakmp
> security acl name LOCALID
> ike-peer LOCALID
> proposal LOCALID
> sa duration time-based 3600
>
> interface Tunnel 0/0/41
> ip address remoteIDIP 255.255.255.255
> tunnel-protocol ipsec
> ipsec policy LOCALID
>
> ip route-static 10.0.64.136 255.255.255.255 Tunnel0/0/41 externalIP
> ip route-static 10.0.64.1 255.255.255.255 Tunnel0/0/41 externalIP
> ip route-static 10.0.64.10 255.255.255.255 Tunnel0/0/41 externalIP
> ip route-static 10.0.64.201 255.255.255.255 Tunnel0/0/41 externalIP
> ip route-static 10.0.64.137 255.255.255.255 Tunnel0/0/41 externalIP
> ip route-static 10.0.64.66 255.255.255.255 Tunnel0/0/41 externalIP
>
> And here are the remote Huawei logs: http://pastebin.com/G90q7Aed
>
> Any ideas as to what could be wrong would be great - quite stuck at
> the moment!
>
> Regards
> Ian
>
>
> On Wed, Nov 2, 2016 at 10:32 AM Ian Barnes <ian.lidtech at gmail.com
> <mailto:ian.lidtech at gmail.com>> wrote:
>
> Hi Nick,
>
> That was part of debugging over the last few days trying to see if
> it made any difference - but it didnt. The connection itself never
> gets established, it just sits pending phase 2 and then stops
> after 10 attempts.
>
> Cheers
> Ian
>
>
> On Wed, Nov 2, 2016 at 10:26 AM Nick Howitt <nick at howitts.co.uk
> <mailto:nick at howitts.co.uk>> wrote:
>
> How long is the connection running before it times out? 1h? Is
> there any
> reason you've set rekey=no?
>
> Nick
>
> On 2016-11-02 07:31, Ian Barnes wrote:
> > Hi Nick,
> >
> > Great thanks for the feedback. I've removed all spaces and
> am seeing
> > the same result. I'm awaiting some logs from the remote
> which I'll
> > forward on as soon as I get it.
> >
> > Regards
> > Ian
> >
> > On Wed, Nov 2, 2016 at 9:22 AM, Nick Howitt
> <nick at howitts.co.uk <mailto:nick at howitts.co.uk>>
> > wrote:
> >
> >> Don't have any blank lines in a conn definition.
> >>
> >> On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes
> >> <ian.lidtech at gmail.com <mailto:ian.lidtech at gmail.com>> wrote:
> >>
> >>> Hi All,
> >>>
> >>> I'm having huge issues setting up an IPSec tunnel from a
> Libreswan
> >>> system to Huawei VRP device and was hoping someone could
> assist me
> >>> in pinpointing what the error is
> >>>
> >>> Here are the logs from the connection:
> >>> http://pastebin.com/vCY5GLG0 [2]
> >>>
> >>> HERE IS MY IPSEC.CONF
> >>> #
> >>>
> >>> version 2.0 # conforms to second version of ipsec.conf
> >>> specification
> >>>
> >>> # basic configuration
> >>> config setup
> >>> nat_traversal=yes
> >>>
> >>> virtual_private=%v:10.0.0.0/16 <http://10.0.0.0/16> [3]
> >>> oe=off
> >>> protostack=netkey
> >>>
> >>> interfaces=%defaultroute
> >>> klipsdebug=none
> >>> uniqueids=yes
> >>>
> >>> plutodebug="control parsing"
> >>> plutostderrlog=/var/log/ipsec.log
> >>>
> >>> #You may put your configuration (.conf) file in the
> >>> "/etc/ipsec.d/" and uncomment this.
> >>> include /etc/ipsec.d/*.conf
> >>>
> >>> HERE IS MY HOST-PRD.CONF
> >>>
> >>> conn host-prd
> >>> ##### Local
> >>> left=externalIP
> >>> leftid=@LOCALID
> >>> leftsubnet=externalIP/32
> >>> leftnexthop=%defaultroute
> >>>
> >>> ##### Remote
> >>> right=REMOTEIDIP
> >>> rightid=REMOTEIDIP
> >>> rightsubnets={172.25.48.43/32 <http://172.25.48.43/32> [4]
> 172.25.48.36/32 <http://172.25.48.36/32> [5]}
> >>> rightnexthop=%defaultroute
> >>>
> >>> ##### Auth Options
> >>> authby=secret
> >>> rekey=no
> >>> aggrmode=no
> >>> forceencaps=no
> >>>
> >>> ##### Phase 1
> >>> ike=3des-md5-modp1024
> >>> ikelifetime="28800"
> >>>
> >>> ##### Phase 2
> >>> esp=3des-md5
> >>> keylife="3600"
> >>> pfs=no
> >>>
> >>> ##### Connection Options
> >>> type=tunnel
> >>> auto=start
> >>> compress=no
> >>>
> >>> HERE IS MY IPSEC.SECRETS
> >>> @LOCALID REMOTEIDIP : PSK "SOMEPSKHERE"
> >>>
> >>> HERE IS AN IPSEC VERIFY (SIDE NOTE: I CANT FIND THE ERRORS?!)
> >>>
> >>> Verifying installed system and configuration files
> >>>
> >>> Version check and ipsec on-path [OK]
> >>> Libreswan 3.15 (netkey) on 2.6.32-504.16.2.el6.x86_64
> >>> Checking for IPsec support in kernel [OK]
> >>> NETKEY: Testing XFRM related proc values
> >>> ICMP default/send_redirects [OK]
> >>> ICMP default/accept_redirects [OK]
> >>> XFRM larval drop [OK]
> >>> Pluto ipsec.conf syntax [OK]
> >>> Hardware random device [N/A]
> >>> Two or more interfaces found, checking IP forwarding [OK]
> >>> Checking rp_filter [ENABLED]
> >>> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> >>> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
> >>> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> >>> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED]
> >>> rp_filter is not fully aware of IPsec and should be disabled
> >>> Checking that pluto is running [OK]
> >>> Pluto listening for IKE on udp 500 [OK]
> >>> Pluto listening for IKE/NAT-T on udp 4500 [OK]
> >>> Pluto ipsec.secret syntax [OK]
> >>> Checking 'ip' command [OK]
> >>> Checking 'iptables' command [OK]
> >>> Checking 'prelink' command does not interfere with
> FIPSChecking
> >>> for obsolete ipsec.conf options [OK]
> >>> Opportunistic Encryption [DISABLED]
> >>>
> >>> ipsec verify: encountered 9 errors - see 'man
> ipsec_verify' for
> >>> help
> >>>
> >>> HERE IS AN IPSEC STATUS AFTER A FEW MINUTES
> >>>
> >>> 000 using kernel interface: netkey
> >>> 000 interface lo/lo ::1 at 500
> >>> 000 interface lo/lo 127.0.0.1 at 4500
> >>> 000 interface lo/lo 127.0.0.1 at 500
> >>> 000 interface eth0/eth0 externalIP at 4500
> >>> 000 interface eth0/eth0 externalIP at 500
> >>> 000 interface eth1/eth1 10.0.64.10 at 4500
> >>> 000 interface eth1/eth1 10.0.64.10 at 500
> >>> 000
> >>> 000
> >>> 000 fips mode=disabled;
> >>> 000 SElinux=disabled
> >>> 000
> >>> 000 config setup options:
> >>> 000
> >>> 000 configdir=/etc, configfile=/etc/ipsec.conf,
> >>> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d,
> >>> dumpdir=/var/run/pluto, statsbin=unset
> >>> 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
> >>> 000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
> >>> 000 nhelpers=-1, uniqueids=yes, perpeerlog=no,
> shuntlifetime=900s,
> >>> xfrmlifetime=300s
> >>> 000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000,
> >>> ddos-mode=auto
> >>> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0,
> >>> listen=<any>, nflog-all=0
> >>> 000 secctx-attr-type=32001
> >>> 000 myid = (none)
> >>> 000 debug parsing+control
> >>> 000
> >>> 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
> >>> 000 virtual-private (%priv):
> >>> 000
> >>> 000 ESP algorithms supported:
> >>> 000
> >>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> >>> keysizemin=192, keysizemax=192
> >>> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
> >>> keysizemin=128, keysizemax=128
> >>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> >>> keysizemin=0, keysizemax=0
> >>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
> ivlen=12,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,
> ivlen=16,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> >>> keysizemin=128, keysizemax=256
> >>> 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> >>> keysizemin=128, keysizemax=128
> >>> 000 algorithm AH/ESP auth: id=2,
> name=AUTH_ALGORITHM_HMAC_SHA1,
> >>> keysizemin=160, keysizemax=160
> >>> 000 algorithm AH/ESP auth: id=5,
> >>> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256,
> keysizemax=256
> >>> 000 algorithm AH/ESP auth: id=6,
> >>> name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384,
> keysizemax=384
> >>> 000 algorithm AH/ESP auth: id=7,
> >>> name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512,
> keysizemax=512
> >>> 000 algorithm AH/ESP auth: id=8,
> name=AUTH_ALGORITHM_HMAC_RIPEMD,
> >>> keysizemin=160, keysizemax=160
> >>> 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
> >>> keysizemin=128, keysizemax=128
> >>> 000 algorithm AH/ESP auth: id=251,
> name=AUTH_ALGORITHM_NULL_KAME,
> >>> keysizemin=0, keysizemax=0
> >>> 000
> >>> 000 IKE algorithms supported:
> >>> 000
> >>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16,
> >>> v2name=AES_CCM_C, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15,
> >>> v2name=AES_CCM_B, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14,
> >>> v2name=AES_CCM_A, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC,
> v2id=3,
> >>> v2name=3DES, blocksize=8, keydeflen=192
> >>> 000 algorithm IKE encrypt: v1id=24,
> v1name=OAKLEY_CAMELLIA_CTR,
> >>> v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC,
> >>> v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C,
> >>> v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B,
> >>> v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A,
> >>> v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR,
> >>> v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC,
> v2id=12,
> >>> v2name=AES_CBC, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=65004,
> v1name=OAKLEY_SERPENT_CBC,
> >>> v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=65005,
> v1name=OAKLEY_TWOFISH_CBC,
> >>> v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
> >>> 000 algorithm IKE encrypt: v1id=65289,
> >>> v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289,
> v2name=TWOFISH_CBC_SSH,
> >>> blocksize=16, keydeflen=128
> >>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
> >>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
> >>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
> >>> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
> >>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
> >>> 000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC,
> >>> hashlen=16
> >>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
> >>> bits=1024
> >>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
> >>> bits=1536
> >>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
> >>> bits=2048
> >>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
> >>> bits=3072
> >>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
> >>> bits=4096
> >>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
> >>> bits=6144
> >>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
> >>> bits=8192
> >>> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
> >>> bits=1024
> >>> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
> >>> bits=2048
> >>> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
> >>> bits=2048
> >>> 000
> >>> 000 stats db_ops: {curr_cnt, total_cnt, maxsz}
> :context={0,2,64}
> >>> trans={0,2,6144} attrs={0,2,4096}
> >>> 000
> >>> 000 Connection list:
> >>> 000
> >>> 000 "host-prd/0x1":
> >>>
> >>
> >
> externalIP/32===externalIP<externalIP>[@LIDTECH]---defaultGW...REMOTEIDIP<REMOTEIDIP>===172.25.48.43/32
> <http://172.25.48.43/32>
> >>> [4]; prospective erouted; eroute owner: #0
> >>> 000 "host-prd/0x1": oriented; my_ip=unset; their_ip=unset
> >>> 000 "host-prd/0x1": xauth info: us:none, them:none,
> >>> my_xauthuser=[any]; their_xauthuser=[any]
> >>> 000 "host-prd/0x1": modecfg info: us:none, them:none,
> modecfg
> >>> policy:push, dns1:unset, dns2:unset, domain:unset,
> banner:unset;
> >>> 000 "host-prd/0x1": labeled_ipsec:no;
> >>> 000 "host-prd/0x1": policy_label:unset;
> >>> 000 "host-prd/0x1": ike_life: 28800s; ipsec_life: 3600s;
> >>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> >>> 000 "host-prd/0x1": retransmit-interval: 500ms;
> >>> retransmit-timeout: 60s;
> >>> 000 "host-prd/0x1": sha2_truncbug:no; initial_contact:no;
> >>> cisco_unity:no; send_vendorid:no;
> >>> 000 "host-prd/0x1": policy:
> >>>
> >>
> >
> PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
> >>> 000 "host-prd/0x1": conn_prio: 32,32; interface: eth0;
> metric:
> >>> 0; mtu: unset; sa_prio:auto; nflog-group: unset;
> >>> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec
> SA: #0;
> >>> 000 "host-prd/0x1": aliases: host-prd
> >>> 000 "host-prd/0x1": IKE algorithms wanted:
> >>> 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2)
> >>> 000 "host-prd/0x1": IKE algorithms found:
> >>> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> >>> 000 "host-prd/0x1": ESP algorithms wanted:
> >>> 3DES(3)_000-MD5(1)_000
> >>> 000 "host-prd/0x1": ESP algorithms loaded:
> >>> 3DES(3)_000-MD5(1)_000
> >>> 000 "host-prd/0x2":
> >>>
> >>
> >
> externalIP/32===externalIP<externalIP>[@LIDTECH]---defaultGW...REMOTEIDIP<REMOTEIDIP>===172.25.48.36/32
> <http://172.25.48.36/32>
> >>> [5]; prospective erouted; eroute owner: #0
> >>> 000 "host-prd/0x2": oriented; my_ip=unset; their_ip=unset
> >>> 000 "host-prd/0x2": xauth info: us:none, them:none,
> >>> my_xauthuser=[any]; their_xauthuser=[any]
> >>> 000 "host-prd/0x2": modecfg info: us:none, them:none,
> modecfg
> >>> policy:push, dns1:unset, dns2:unset, domain:unset,
> banner:unset;
> >>> 000 "host-prd/0x2": labeled_ipsec:no;
> >>> 000 "host-prd/0x2": policy_label:unset;
> >>> 000 "host-prd/0x2": ike_life: 28800s; ipsec_life: 3600s;
> >>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
> >>> 000 "host-prd/0x2": retransmit-interval: 500ms;
> >>> retransmit-timeout: 60s;
> >>> 000 "host-prd/0x2": sha2_truncbug:no; initial_contact:no;
> >>> cisco_unity:no; send_vendorid:no;
> >>> 000 "host-prd/0x2": policy:
> >>>
> >>
> >
> PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
> >>> 000 "host-prd/0x2": conn_prio: 32,32; interface: eth0;
> metric:
> >>> 0; mtu: unset; sa_prio:auto; nflog-group: unset;
> >>> 000 "host-prd/0x2": newest ISAKMP SA: #0; newest IPsec
> SA: #0;
> >>> 000 "host-prd/0x2": aliases: host-prd
> >>> 000 "host-prd/0x2": IKE algorithms wanted:
> >>> 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2)
> >>> 000 "host-prd/0x2": IKE algorithms found:
> >>> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
> >>> 000 "host-prd/0x2": ESP algorithms wanted:
> >>> 3DES(3)_000-MD5(1)_000
> >>> 000 "host-prd/0x2": ESP algorithms loaded:
> >>> 3DES(3)_000-MD5(1)_000
> >>> 000
> >>> 000 Total IPsec connections: loaded 2, active 0
> >>> 000
> >>> 000 State Information: DDoS cookies not required,
> Accepting new
> >>> IKE connections
> >>> 000 IKE SAs: total(0), half-open(0), open(0),
> authenticated(0),
> >>> anonymous(0)
> >>> 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
> >>> 000
> >>> 000 Bare Shunt list:
> >>> 000
> >>>
> >>> HERE IS THE LAST PART OF AN IPSEC STATUS BEFORE THE CONNECTION
> >>> "TIMES OUT":
> >>>
> >>> 000 #1: "host-prd/0x2":500 STATE_MAIN_I3 (sent MI3, expecting
> >>> MR3); EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin
> >>> initiate
> >>> 000 #1: pending Phase 2 for "mtn-ug-prd/0x1" replacing #0
> >>> 000 #1: pending Phase 2 for "mtn-ug-prd/0x2" replacing #0
> >>>
> >>> My suspicion is that this is a misconfiguration on their
> end, but
> >>> not sure what though...
> >>>
> >>> Any advice would be great - thanks in advance
> >>>
> >>> Ian
> >>>
> >>> -------------------------
> >>>
> >>> Swan mailing list
> >>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
> >>> https://lists.libreswan.org/mailman/listinfo/swan [1]
> >>
> >> --
> >> Sent from my Android device with K-9 Mail. Please excuse my
> brevity.
> >
> >
> >
> > Links:
> > ------
> > [1] https://lists.libreswan.org/mailman/listinfo/swan
> > [2] http://pastebin.com/vCY5GLG0
> > [3] http://10.0.0.0/16
> > [4] http://172.25.48.43/32
> > [5] http://172.25.48.36/32
>
More information about the Swan
mailing list