[Swan] Tunnels coming establishing and dropping quickly
Paul Wouters
paul at nohats.ca
Wed May 17 14:18:17 UTC 2017
On Wed, 17 May 2017, Madden, Joe wrote:
> We have having an issue with our Libreswan tunnels, They come up for a short amount of time before dropping off.
>
>
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
> May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID payload [RFC 3947]
> May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID payload [FRAGMENTATION c0000000]
> May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
> May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: sent v2I1, expected v2R1
Looks like the other end does not like your proposal?
>
> conn ssl-iptrafficsig-1
> authby= secret
> auto= start
> type= tunnel
> forceencaps= no
> rekeymargin= 3m
> keyingtries= %forever
> salifetime= 8h
> ikelifetime= 24h
> ikev2= insist
> initial-contact= yes
> send_vendorid= yes
>
> #RTT
> left= 10.59.31.49
Please remove empty lines, those denoate that a new conn section starts,
and you might be missing part of your configuration.
> leftnexthop= 10.59.31.54
>
> #SAA
Same here.
> right= 54.247.187.81
> rightid= 54.247.187.81
> rightsubnet= 10.199.0.0/28
> ike= aes256-sha2_512;modp2048
> phase2= esp
> phase2alg= aes256-sha2_512;modp2048
> pfs= yes
> sha2_truncbug= no
>
> #Dead Peer Detection
And here.
> Stronswan configuration looks like this:
>
>
> ######### Connection to Mott NRTS Gateway-PSK #####
> conn motts_nrts_gateway
> type=tunnel
> authby=secret
> forceencaps=no
> keyexchange=ikev2
> left=10.199.0.4
> leftsubnet=10.199.0.0/28
> leftid=54.247.187.81
> #leftfirewall=yes
> rightfirewall=yes
> ike=aes256-sha2_512-modp2048
> esp=aes256-sha2_512-modp2048
> right=extip
> rightid=extip
> rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26
> aggressive=no
> ikelifetime=24h
> keyingtries=%forever
> keylife=8h
> dpdaction=hold
> auto=start
> ######## End of MOTT NRTS Gateway Connection ###
>
>
> Does anyone have any suggestions to what could be the issue?
What does the strongswan log say?
Paul
More information about the Swan
mailing list