<div dir="ltr"> have a CentOS 7.6 with Libreswan connected to an IPSec Checkpoint VPN. I am having constant problems with this connection. Usually when I restart the connection it works until the key exchange, after changing the key no longer connects. Another problem is that several times happens to be with closed VPN, but does not traffic any packets in VPN, I restart the connection, CentOS and nothing, then I have to remove all the .db files from the /etc/ipsec.d folder /*.db, restarting CentOS so it returns to VPN. No problem with any kind of firewall rule, because there are none. There is a problem in Libreswan that I could not find the cause even that is giving this constant error. If I remove Libreswan and put in a Sonicwall everything works perfect, without any problems. So I need some help to identify this problem accurately and managed to find a solution that solves this issue.<div>My configuration of ipsec.conf.</div><div>conn VPN<br> auto=start<br> pfs=yes<br> rekey=no<br> authby=secret<br> type=tunnel<br> salifetime=28800<br> ikelifetime=28800<br> ike=3des-sha1;modp1024<br> phase2=esp<br> phase2alg=3des-sha1;modp1024<br> left=XXX.XXX.XXX.154<br> leftsubnet=<a href="http://192.168.70.0/24">192.168.70.0/24</a><br> leftsourceip=
XXX.XXX.XXX.154
<br> right=
XXX.XXX.XXX.4
<br> rightsubnet=<a href="http://10.20.0.0/24">10.20.0.0/24</a><br> rightsourceip=
XXX.XXX.XXX.4
<br></div><div># ipsec status</div><div>000 #1: "VPN":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 27571s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate<br>000 #2: "VPN":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27813s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate<br></div><div><br></div><div># ip -s xfrm policy</div><div>src <a href="http://192.168.70.0/24">192.168.70.0/24</a> dst <a href="http://10.20.0.0/24">10.20.0.0/24</a> uid 0<br> dir out action allow index 425 priority 1042407 ptype main share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2019-09-19 06:52:42 use 2019-09-19 06:52:48<br> tmpl src
XXX.XXX.XXX.154
dst
XXX.XXX.XXX.4
<br> proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>src <a href="http://10.20.0.0/24">10.20.0.0/24</a> dst <a href="http://192.168.70.0/24">192.168.70.0/24</a> uid 0<br> dir fwd action allow index 418 priority 1042407 ptype main share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2019-09-19 06:52:42 use -<br> tmpl src
XXX.XXX.XXX.4
dst
XXX.XXX.XXX.154
<br> proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>src <a href="http://10.20.0.0/24">10.20.0.0/24</a> dst <a href="http://192.168.70.0/24">192.168.70.0/24</a> uid 0<br> dir in action allow index 408 priority 1042407 ptype main share any flag (0x00000000)<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2019-09-19 06:52:42 use -<br> tmpl src
XXX.XXX.XXX.4
dst
XXX.XXX.XXX.154
<br> proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode tunnel<br> level required share any<br> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br></div><div><br></div><div># ip -s xfrm state</div><div>src
XXX.XXX.XXX.4
dst
XXX.XXX.XXX.154
<br> proto esp spi 0xd39eadf2(3550391794) reqid 16397(0x0000400d) mode tunnel<br> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<br> auth-trunc hmac(sha1) 0x367d65de14b34be5bb958c36f56af71e1dd2eb75 (160 bits) 96<br> enc cbc(des3_ede) 0x38a41547427a58a0305ee654daa831a7463332f40eac7434 (192 bits)<br> anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 0(bytes), 0(packets)<br> add 2019-09-19 06:52:42 use -<br> stats:<br> replay-window 0 replay 0 failed 0<br>src
XXX.XXX.XXX.154
dst
XXX.XXX.XXX.4
<br> proto esp spi 0xc44f734d(3293541197) reqid 16397(0x0000400d) mode tunnel<br> replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)<br> auth-trunc hmac(sha1) 0xb82c629aaf2c52addb0115904f0c2335f3d617e4 (160 bits) 96<br> enc cbc(des3_ede) 0xfb25fa0c2a23e4a0f78bcabed6067e20e5fcea5da29a5c9e (192 bits)<br> anti-replay context: seq 0x0, oseq 0x3, bitmap 0x00000000<br> lifetime config:<br> limit: soft (INF)(bytes), hard (INF)(bytes)<br> limit: soft (INF)(packets), hard (INF)(packets)<br> expire add: soft 0(sec), hard 0(sec)<br> expire use: soft 0(sec), hard 0(sec)<br> lifetime current:<br> 252(bytes), 3(packets)<br> add 2019-09-19 06:52:42 use 2019-09-19 06:52:46<br> stats:<br> replay-window 0 replay 0 failed 0<br></div><div><br></div><div>[root@firewall ~]# cat /proc/net/xfrm_stat<br>XfrmInError 0<br>XfrmInBufferError 0<br>XfrmInHdrError 0<br>XfrmInNoStates 0<br>XfrmInStateProtoError 0<br>XfrmInStateModeError 0<br>XfrmInStateSeqError 0<br>XfrmInStateExpired 0<br>XfrmInStateMismatch 0<br>XfrmInStateInvalid 0<br>XfrmInTmplMismatch 0<br>XfrmInNoPols 0<br>XfrmInPolBlock 0<br>XfrmInPolError 0<br>XfrmOutError 0<br>XfrmOutBundleGenError 0<br>XfrmOutBundleCheckError 0<br>XfrmOutNoStates 0<br>XfrmOutStateProtoError 0<br>XfrmOutStateModeError 0<br>XfrmOutStateSeqError 0<br>XfrmOutStateExpired 0<br>XfrmOutPolBlock 0<br>XfrmOutPolDead 0<br>XfrmOutPolError 0<br>XfrmFwdHdrError 0<br>XfrmOutStateInvalid 0<br></div></div>