[Swan] Tunnels coming establishing and dropping quickly
Madden, Joe
Joe.Madden at mottmac.com
Wed May 17 12:52:27 UTC 2017
Hi All,
We have having an issue with our Libreswan tunnels, They come up for a short amount of time before dropping off.
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID payload [RFC 3947]
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID payload [FRAGMENTATION c0000000]
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/10x0" #7: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/15x0" #2: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/13x0" #4: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/4x0" #13: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/16x0" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/5x0" #12: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/7x0" #10: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/8x0" #9: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/3x0" #14: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/9x0" #8: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/1x0" #16: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/6x0" #11: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/2x0" #15: STATE_PARENT_I1: sent v2I1, expected v2R1
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: deleting state #35 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: deleting state #3 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: deleting state #34 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: deleting state #5 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/5x0" #12: deleting state #36 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/5x0" #12: deleting state #12 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/13x0" #4: deleting state #39 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/13x0" #4: deleting state #4 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/16x0" #1: deleting state #37 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/16x0" #1: deleting state #1 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/7x0" #10: deleting state #38 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/7x0" #10: deleting state #10 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/15x0" #2: deleting state #43 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/15x0" #2: deleting state #2 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/2x0" #15: deleting state #47 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/2x0" #15: deleting state #15 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/9x0" #8: deleting state #45 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/9x0" #8: deleting state #8 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/10x0" #7: deleting state #46 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/10x0" #7: deleting state #7 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/3x0" #14: deleting state #44 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/3x0" #14: deleting state #14 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: assign_holdpass() delete_bare_shunt() failed
May 17 12:45:55 fw pluto[12003]: initiate_ondemand_body() failed to install negotiation_shunt,
May 17 12:45:55 fw pluto[12003]: initiate on demand from 10.1.170.43:50051 to 10.199.0.13:123 proto=17 state: fos_start because: acquire
conn ssl-iptrafficsig-1
authby= secret
auto= start
type= tunnel
forceencaps= no
rekeymargin= 3m
keyingtries= %forever
salifetime= 8h
ikelifetime= 24h
ikev2= insist
initial-contact= yes
send_vendorid= yes
#RTT
left= 10.59.31.49
leftsubnets= {10.2.170.0/26,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.176.0/25,10.1.170.0/25,10.2.166.0/26,10.2.74.64/29,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26}
leftid= 10.59.31.49
leftnexthop= 10.59.31.54
#SAA
right= 54.247.187.81
rightid= 54.247.187.81
rightsubnet= 10.199.0.0/28
ike= aes256-sha2_512;modp2048
phase2= esp
phase2alg= aes256-sha2_512;modp2048
pfs= yes
sha2_truncbug= no
#Dead Peer Detection
dpddelay= 30
dpdtimeout= 120
dpdaction= hold
Stronswan configuration looks like this:
######### Connection to Mott NRTS Gateway-PSK #####
conn motts_nrts_gateway
type=tunnel
authby=secret
forceencaps=no
keyexchange=ikev2
left=10.199.0.4
leftsubnet=10.199.0.0/28
leftid=54.247.187.81
#leftfirewall=yes
rightfirewall=yes
ike=aes256-sha2_512-modp2048
esp=aes256-sha2_512-modp2048
right=extip
rightid=extip
rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26
aggressive=no
ikelifetime=24h
keyingtries=%forever
keylife=8h
dpdaction=hold
auto=start
######## End of MOTT NRTS Gateway Connection ###
Does anyone have any suggestions to what could be the issue?
Thanks
Joe
More information about the Swan
mailing list