[Swan] Tunnels coming establishing and dropping quickly

Paul Wouters paul at nohats.ca
Wed May 17 14:18:17 UTC 2017 

On Wed, 17 May 2017, Madden, Joe wrote:

> We have having an issue with our Libreswan tunnels, They come up for a short amount of time before dropping off.
>
>
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
> May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID payload [RFC 3947]
> May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID payload [FRAGMENTATION c0000000]
> May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: sent v2I1, expected v2R1

Looks like the other end does not like your proposal?

>
> conn ssl-iptrafficsig-1
>        authby=                 secret
>        auto=                   start
>        type=                   tunnel
>        forceencaps=            no
>        rekeymargin=            3m
>        keyingtries=            %forever
>        salifetime=             8h
>        ikelifetime=            24h
>        ikev2=                  insist
>        initial-contact=        yes
>        send_vendorid=          yes
>
>        #RTT
>        left=           10.59.31.49

Please remove empty lines, those denoate that a new conn section starts,
and you might be missing part of your configuration.

>        leftnexthop=    10.59.31.54
>
>        #SAA

Same here.

>        right=          54.247.187.81
>        rightid=        54.247.187.81
>        rightsubnet=    10.199.0.0/28
>        ike=            aes256-sha2_512;modp2048
>        phase2=         esp
>        phase2alg=      aes256-sha2_512;modp2048
>        pfs=            yes
>        sha2_truncbug=  no
>
>        #Dead Peer Detection

And here.

> Stronswan configuration looks like this:
>
>
> ######### Connection to Mott NRTS Gateway-PSK #####
> conn motts_nrts_gateway
>        type=tunnel
>        authby=secret
>        forceencaps=no
>        keyexchange=ikev2
>        left=10.199.0.4
>        leftsubnet=10.199.0.0/28
>        leftid=54.247.187.81
>        #leftfirewall=yes
>        rightfirewall=yes
>        ike=aes256-sha2_512-modp2048
>        esp=aes256-sha2_512-modp2048
>        right=extip
>        rightid=extip
>        rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26
>        aggressive=no
>        ikelifetime=24h
>        keyingtries=%forever
>        keylife=8h
>        dpdaction=hold
>        auto=start
> ######## End of MOTT NRTS Gateway Connection ###
>
>
> Does anyone have any suggestions to what could be the issue?

What does the strongswan log say?

Paul

More information about the Swan mailing list