[Swan] AWS: INVALID_HASH_INFORMATION
Ryszard Styczynski
rstyczynski at gmail.com
Mon Oct 12 12:51:32 UTC 2020
Hello,
I've found error. My error.
left=10.196.3.53
leftid=140.238.80.46
leftsubnet=10.106.0.0/16
, should be:
left=10.196.3.53
leftid=140.238.80.46
leftsubnet=10.196.0.0/16
After fixing above, all is good:
Oct 12 12:49:17.268926: "XXX_tunnel2" #11: initiating Main Mode
Oct 12 12:49:17.280441: "XXX_tunnel2" #11: STATE_MAIN_I2: sent MI2, expecting MR2
Oct 12 12:49:17.292445: "XXX_tunnel2" #11: STATE_MAIN_I3: sent MI3, expecting MR3
Oct 12 12:49:17.303169: "XXX_tunnel2" #11: Peer ID is ID_IPV4_ADDR: '52.214.70.211'
Oct 12 12:49:17.303556: "XXX_tunnel2" #11: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}
Oct 12 12:49:17.303667: "XXX_tunnel2" #12: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#11 msgid:dfe9b6dd proposal=AES_CBC_128-HMAC_SHA1_96-MODP1024 pfsgroup=MODP1024}
Oct 12 12:49:17.316170: "XXX_tunnel2" #12: our client subnet returned doesn't match my proposal - us:10.196.0.0/16 vs them:10.196.3.0/24
Oct 12 12:49:17.316218: "XXX_tunnel2" #12: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]
Oct 12 12:49:17.345910: "XXX_tunnel2" #12: up-client output: vti interface "vti202" already exists with conflicting setting (perhaps need vti-sharing=yes ?
XXXXXXXXXXXXXXXXXXXXXXXXOct 12 12:49:17.346969: "XXX_tunnel2" #12: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xc29c90e2 <0x2113ec70 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=52.214.70.211:4500 DPD=active}XXX
Regards,
Ryszard
> On 12 Oct 2020, at 14:28, Ryszard Styczynski <rstyczynski at gmail.com> wrote:
>
> Hello,
>
> I'm trying to connect Linux to AWS VPN Connection using Libreswan 3.25. On the same host IPSec connection already works for a long time. Now I'm adding another one, and I'm stopped o below problem:
>
> Oct 12 11:54:08.149392: "XXX_tunnel2" #41: initiating Main Mode
> Oct 12 11:54:08.161867: "XXX_tunnel2" #41: STATE_MAIN_I2: sent MI2, expecting MR2
> Oct 12 11:54:08.174565: "XXX_tunnel2" #41: STATE_MAIN_I3: sent MI3, expecting MR3
> Oct 12 11:54:08.185652: "XXX_tunnel2" #41: Peer ID is ID_IPV4_ADDR: '52.214.70.211'
> Oct 12 11:54:08.186215: "XXX_tunnel2" #41: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP1024}
> Oct 12 11:54:08.186295: "XXX_tunnel2" #42: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#41 msgid:f741420f proposal=AES_CBC_128-HMAC_SHA1_96-MODP1024 pfsgroup=MODP1024}
> Oct 12 11:54:08.198059: "XXX_tunnel2" #41: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=16
> Oct 12 11:54:08.198091: | ISAKMP Notification Payload
> Oct 12 11:54:08.198103: | 00 00 00 10 00 00 00 01 03 04 00 12
> Oct 12 11:54:08.198112: "XXX_tunnel2" #41: received and ignored informational message
> Oct 12 11:54:08.687396: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
> Oct 12 11:54:09.188146: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
> Oct 12 11:54:10.189374: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
> Oct 12 11:54:12.190339: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
> Oct 12 11:54:16.194522: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
> Oct 12 11:54:24.197845: "XXX_tunnel2" #42: STATE_QUICK_I1: retransmission; will wait 16 seconds for response
> Oct 12 11:54:24.209230: "XXX_tunnel2" #41: ignoring informational payload INVALID_HASH_INFORMATION, msgid=00000000, length=12
> Oct 12 11:54:24.209266: | ISAKMP Notification Payload
> Oct 12 11:54:24.209272: | 00 00 00 0c 00 00 00 01 01 00 00 17
> Oct 12 11:54:24.209276: "XXX_tunnel2" #41: received and ignored informational message
>
> Configuration is quite fundamental as proposed by regular AWS setup. I'm using exactly the same for outer working VPN Connection.
>
> conn XXX_tunnel2
> mark=202/0xffffffff
> vti-interface=vti202
> vti-routing=no
>
> left=10.196.3.53
> leftid=140.238.80.46
> leftsubnet=10.106.0.0/16
>
> rightsubnet=0.0.0.0/0
> right=52.214.70.211
>
> type=tunnel
>
> authby=secret
> auto=start
>
> dpddelay=10
> dpdtimeout=30
> dpdaction=restart_by_peer
>
> ikelifetime=8h
> keylife=1h
> phase2alg=aes128-sha1;modp1024
> ike=aes128-sha1;modp1024
> keyingtries=%forever
> keyexchange=ike
>
> Appreciate any advice where is the trick. What is wrong? How to further debug?
>
> Regards,
> Ryszard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201012/29537e9b/attachment-0001.html>
More information about the Swan
mailing list