[Swan] STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
Alex
mysqlstudent at gmail.com
Tue May 29 20:37:31 UTC 2018
Hi,
I have a fedora27 system with libreswan-3.23-1.fc27.x86_64 on the
local side and libreswan-3.22-1.fc25.x86_64 on the remote side and
having a problem with my site-to-site VPN. It was working until about
two hours ago and something changed. I have no idea what's causing the
problem or what's changed and hoped someone could help.
I have mail pending on a server on the other side of the VPN that I
now can't access.
May 29 16:30:04 orion pluto[14295]: assign_holdpass() delete_bare_shunt() failed
May 29 16:30:04 orion pluto[14295]: initiate_ondemand_body() failed to
install negotiation_shunt,
May 29 16:30:04 orion pluto[14295]: initiate on demand from
192.168.1.7:8 to 64.1.11.5:0 proto=1 because: acquire
May 29 16:30:08 orion pluto[14295]: "VPN-GDHQ-GDXO" #24:
STATE_MAIN_I1: retransmission; will wait 32 seconds for response
May 29 16:30:40 orion pluto[14295]: "VPN-GDHQ-GDXO" #24:
STATE_MAIN_I1: 60 second timeout exceeded after 7 retransmits. No
response (or no acceptable response) to our first IKEv1 message
May 29 16:30:40 orion pluto[14295]: "VPN-GDHQ-GDXO" #24: starting
keying attempt 25 of an unlimited number
May 29 16:30:40 orion pluto[14295]: "VPN-GDHQ-GDXO" #25: initiating
Main Mode to replace #24
May 29 16:30:40 orion pluto[14295]: "VPN-GDHQ-GDXO" #24: deleting
state (STATE_MAIN_I1)
May 29 16:30:41 orion pluto[14295]: "VPN-GDHQ-GDXO" #25:
STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
May 29 16:30:41 orion pluto[14295]: "VPN-GDHQ-GDXO" #25:
STATE_MAIN_I1: retransmission; will wait 1 seconds for response
May 29 16:30:42 orion pluto[14295]: "VPN-GDHQ-GDXO" #25:
STATE_MAIN_I1: retransmission; will wait 2 seconds for response
May 29 16:30:44 orion pluto[14295]: "VPN-GDHQ-GDXO" #25:
STATE_MAIN_I1: retransmission; will wait 4 seconds for response
May 29 16:30:48 orion pluto[14295]: "VPN-GDHQ-GDXO" #25:
STATE_MAIN_I1: retransmission; will wait 8 seconds for response
May 29 16:30:56 orion pluto[14295]: "VPN-GDHQ-GDXO" #25:
STATE_MAIN_I1: retransmission; will wait 16 seconds for response
My ipsec whack status and current configuration is below. I've changed
our domain to 'example'. orion.example.com is the local side.
000 using kernel interface: netkey
000 interface br0/br0 ::ec4:7aff:fea9:18de at 500
000 interface lo/lo ::1 at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface eth1/eth1 192.168.1.1 at 4500
000 interface eth1/eth1 192.168.1.1 at 500
000 interface eth1:2/eth1:2 192.168.6.1 at 4500
000 interface eth1:2/eth1:2 192.168.6.1 at 500
000 interface eth1:0/eth1:0 192.168.1.2 at 4500
000 interface eth1:0/eth1:0 192.168.1.2 at 500
000 interface eth1:1/eth1:1 192.168.1.100 at 4500
000 interface eth1:1/eth1:1 192.168.1.100 at 500
000 interface eth1:3/eth1:3 192.168.1.101 at 4500
000 interface eth1:3/eth1:3 192.168.1.101 at 500
000 interface br0/br0 68.195.199.42 at 4500
000 interface br0/br0 68.195.199.42 at 500
000 interface br0:0/br0:0 68.195.199.44 at 4500
000 interface br0:0/br0:0 68.195.199.44 at 500
000 interface virbr0/virbr0 192.168.122.1 at 4500
000 interface virbr0/virbr0 192.168.122.1 at 500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=unsupported
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf,
secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/run/pluto, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.23, pluto_vendorid=OE-Libreswan-3.23
000 nhelpers=0, uniqueids=yes, dnssec-enable=yes, perpeerlog=no,
logappend=yes, logip=yes, shuntlifetime=900s, xfrmlifetime=300s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no,
crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600,
ocsp-cache-max-age=86400, ocsp-method=get
000 secctx-attr-type=32001
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=23, name=ESP_NULL_AUTH_AES_GMAC,
ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=250, name=AUTH_ALGORITHM_AES_CMAC_96,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC,
v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20,
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19,
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18,
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE DH Key Exchange: name=MODP1024, bits=1024
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH23, bits=2048
000 algorithm IKE DH Key Exchange: name=DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,6936} attrs={0,2,4624}
000
000 Connection list:
000
000 "VPN-GDHQ-GDXO":
192.168.1.0/24===68.195.199.42<68.195.199.42>[CN=orion.example.com,
O=GDXO]---68.195.199.41...65.46.77.6<65.46.72.6>[CN=cyclops.example.com,
O=GDXO]===64.1.11.0/27; prospective erouted; eroute owner: #0
000 "VPN-GDHQ-GDXO": oriented; my_ip=unset; their_ip=unset;
mycert=orion; hiscert=cyclops; my_updown=ipsec _updown;
000 "VPN-GDHQ-GDXO": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "VPN-GDHQ-GDXO": our auth:rsasig, their auth:rsasig
000 "VPN-GDHQ-GDXO": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "VPN-GDHQ-GDXO": labeled_ipsec:no;
000 "VPN-GDHQ-GDXO": policy_label:unset;
000 "VPN-GDHQ-GDXO": CAs: 'CN=GDXO Authority, O=GDXO'...'CN=GDXO
Authority, O=GDXO'
000 "VPN-GDHQ-GDXO": ike_life: 14400s; ipsec_life: 3600s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "VPN-GDHQ-GDXO": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "VPN-GDHQ-GDXO": sha2-truncbug:no; initial-contact:no;
cisco-unity:no; fake-strongswan:no; send-vendorid:no;
send-no-esp-tfc:no;
000 "VPN-GDHQ-GDXO": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "VPN-GDHQ-GDXO": conn_prio: 24,27; interface: br0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "VPN-GDHQ-GDXO": nflog-group: unset; mark: unset;
vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "VPN-GDHQ-GDXO": our idtype: ID_DER_ASN1_DN; our
id=CN=orion.example.com, O=GDXO; their idtype: ID_DER_ASN1_DN; their
id=CN=cyclops.example.com, O=GDXO
000 "VPN-GDHQ-GDXO": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "VPN-GDHQ-GDXO": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "VPN-GDHQ-GDXO": IKE algorithms: AES_CBC-HMAC_SHA2_256-MODP2048,
AES_CBC-HMAC_SHA2_512-MODP2048, AES_CBC-HMAC_SHA1-MODP2048,
AES_CBC-HMAC_SHA2_256-MODP1536, AES_CBC-HMAC_SHA2_512-MODP1536,
AES_CBC-HMAC_SHA1-MODP1536
000 "VPN-GDHQ-GDXO": ESP algorithms: AES_CBC-HMAC_SHA1_96
000 "VPN-GDHQ-GDXO-2":
192.168.1.0/24===68.195.199.42<68.195.193.42>[CN=orion.example.com,
O=GDXO]---68.195.199.41...65.46.77.6<65.46.72.6>[CN=cyclops.example.com,
O=GDXO]===66.104.200.96/28; prospective erouted; eroute owner: #0
000 "VPN-GDHQ-GDXO-2": oriented; my_ip=unset; their_ip=unset;
mycert=orion; hiscert=cyclops; my_updown=ipsec _updown;
000 "VPN-GDHQ-GDXO-2": xauth us:none, xauth them:none,
my_username=[any]; their_username=[any]
000 "VPN-GDHQ-GDXO-2": our auth:rsasig, their auth:rsasig
000 "VPN-GDHQ-GDXO-2": modecfg info: us:none, them:none, modecfg
policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "VPN-GDHQ-GDXO-2": labeled_ipsec:no;
000 "VPN-GDHQ-GDXO-2": policy_label:unset;
000 "VPN-GDHQ-GDXO-2": CAs: 'CN=GDXO Authority, O=GDXO'...'CN=GDXO
Authority, O=GDXO'
000 "VPN-GDHQ-GDXO-2": ike_life: 14400s; ipsec_life: 3600s;
replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries:
0;
000 "VPN-GDHQ-GDXO-2": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "VPN-GDHQ-GDXO-2": sha2-truncbug:no; initial-contact:no;
cisco-unity:no; fake-strongswan:no; send-vendorid:no;
send-no-esp-tfc:no;
000 "VPN-GDHQ-GDXO-2": policy:
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "VPN-GDHQ-GDXO-2": conn_prio: 24,28; interface: br0; metric: 0;
mtu: unset; sa_prio:auto; sa_tfc:none;
000 "VPN-GDHQ-GDXO-2": nflog-group: unset; mark: unset;
vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "VPN-GDHQ-GDXO-2": our idtype: ID_DER_ASN1_DN; our
id=CN=orion.example.com, O=GDXO; their idtype: ID_DER_ASN1_DN; their
id=CN=cyclops.example.com, O=GDXO
000 "VPN-GDHQ-GDXO-2": dpd: action:hold; delay:0; timeout:0; nat-t:
encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "VPN-GDHQ-GDXO-2": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "VPN-GDHQ-GDXO-2": IKE algorithms:
AES_CBC-HMAC_SHA2_256-MODP2048, AES_CBC-HMAC_SHA2_512-MODP2048,
AES_CBC-HMAC_SHA1-MODP2048, AES_CBC-HMAC_SHA2_256-MODP1536,
AES_CBC-HMAC_SHA2_512-MODP1536, AES_CBC-HMAC_SHA1-MODP1536
000 "VPN-GDHQ-GDXO-2": ESP algorithms: AES_CBC-HMAC_SHA1_96
000
000 Total IPsec connections: loaded 2, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #8: "VPN-GDHQ-GDXO":500 STATE_MAIN_I1 (sent MI1, expecting MR1);
EVENT_v1_RETRANSMIT in 1s; nodpd; idle; import:admin initiate
000 #8: pending Phase 2 for "VPN-GDHQ-GDXO-2" replacing #0
000 #8: pending Phase 2 for "VPN-GDHQ-GDXO" replacing #0
000
000 Bare Shunt list:
000
# ipsec auto --listcerts
000
000 List of X.509 End Certificates:
000
000 End certificate "orion" - SN: 0x00ac38455c
000 subject: CN=orion.example.com, O=GDXO
000 issuer: CN=GDXO Authority, O=GDXO
000 not before: Tue Jan 02 02:51:00 2018
000 not after: Sun Jan 02 02:51:00 2022
000 4096 bit RSA: has private key
000
000 End certificate "cyclops" - SN: 0x00ac3845b1
000 subject: CN=cyclops.example.com, O=GDXO
000 issuer: CN=GDXO Authority, O=GDXO
000 not before: Tue Jan 02 02:51:46 2018
000 not after: Sun Jan 02 02:51:46 2022
000 4096 bit RSA: has private key
# cat /etc/ipsec.conf|grep -vE '#|^$'
config setup
klipsdebug=all
interfaces=%defaultroute
uniqueids=yes
protostack=netkey
nhelpers=0
conn %default
auto=add
keyingtries=0
disablearrivalcheck=no
keyexchange=ike
ikelifetime=240m
keylife=60m
pfs=yes
compress=no
leftrsasigkey=%cert
rightrsasigkey=%cert
type=tunnel
authby=rsasig
esp=aes
ike=aes
conn VPN-GDHQ-GDXO
auto=start
left=68.195.199.42
leftnexthop=68.195.199.41
leftsubnet=192.168.1.0/24
leftid="CN=orion.example.com, O=GDXO"
leftcert=orion
right=65.46.77.6
rightnexthop=65.46.77.5
rightsubnet=64.1.11.0/27
rightid="CN=cyclops.example.com, O=GDXO"
rightcert=cyclops
conn VPN-GDHQ-GDXO-2
auto=start
left=68.195.199.42
leftnexthop=68.195.199.41
leftsubnet=192.168.1.0/24
leftid="CN=orion.example.com, O=GDXO"
leftcert=orion
right=65.46.77.6
rightnexthop=65.46.77.5
rightsubnet=66.104.200.96/28
rightid="CN=cyclops.example.com, O=GDXO"
rightcert=cyclops
# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.23 (netkey) on 4.16.3-200.fc27.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 68.195.199.41 0.0.0.0 UG 0 0 0 br0
68.195.199.40 0.0.0.0 255.255.255.248 U 0 0 0 br0
169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.6.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
More information about the Swan
mailing list