[sdnog] Errors with OpenSwan

TGy Aldeen mohamed tagy-aldeen at hotmail.com
Sat Nov 26 11:03:18 SAST 2016 

Dear all,


I have problems with openSwan, phase 1 is ok, but the problem in phase 2, knidly check the following error and logsŲ²

Hope you can help


firstly here is the configuration:


         plutoopts="--perpeerlog"

         nat_traversal=yes

         dumpdir=/var/run/pluto/

        virtual_private=%v4:10.21.20.2/32,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%
        v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
         oe=off
        protostack=netkey

        force_keepalive=yes

conn Dar-Secret
        type=tunnel
        authby=secret
        auto=start
        keyexchange=ike
        ike=aes256-sha1;modp1536!
        ikelifetime=86400s
#phase 2
#      auth=esp
        esp=aes256-sha1;modp1536
        phase2=esp
        pfs=yes
        keylife=28800s
#       phase2alg=aes256-sha1;modp1536!
        aggrmode=no
#      ikelife=1h
        compress=no
        left=89.40.X.X
        right=196.29.X.X
        rightsubnet=10.21.20.2/24
------------------------------------------------------------------------
/var/log/auth.log

root at TG1:~# tail -30 /var/log/auth.log

Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: received Vendor ID payload [Dead Peer Detection]
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: Main mode peer ID is ID_IPV4_ADDR: '196.29.X.X'
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley
_sha group=modp1536}
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #16: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#15 ms
gid:a50804c2 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: received and ignored informational message
Nov 26 09:30:14 TG1 pluto[9703]: "EBS-Secret" #15: received Delete SA payload: deleting ISAKMP State #15
Nov 26 09:30:14 TG1 pluto[9703]: packet from 196.29.X.X:500: received and ignored informational message
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #16: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our
first Quick Mode message: perhaps peer likes no proposal
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #16: starting keying attempt 2 of an unlimited number
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: initiating Main Mode
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: STATE_MAIN_I2: sent MI2, expecting MR2
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: received Vendor ID payload [Cisco-Unity]
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: received Vendor ID payload [XAUTH]
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: ignoring unknown Vendor ID payload [72a72d0c18fca224abe5998638ff5346]
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Nov 26 09:31:24 TG1 pluto[9703]: "EBS-Secret" #17: STATE_MAIN_I3: sent MI3, expecting MR3
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: received Vendor ID payload [Dead Peer Detection]
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: Main mode peer ID is ID_IPV4_ADDR: '196.29.X.X'
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley
_sha group=modp1536}
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #18: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#17 ms
gid:17e9abc5 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: received and ignored informational message
Nov 26 09:31:25 TG1 pluto[9703]: "EBS-Secret" #17: received Delete SA payload: deleting ISAKMP State #17
Nov 26 09:31:25 TG1 pluto[9703]: packet from 196.29.X.X:500: received and ignored informational message
----------------------------------------------------------------------------------------------------------------

root at TG1:~# ipsec auto --status

000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 89.40.X.X
000 interface eth0/eth0 89.40.X.X
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.21.20.2/32, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,15,64} trans={0,15,3072} attrs={0,15,2048}
000
000 "EBS-Secret": 89.40.X.X<89.40.X.X>...196.29.X.X<196.29.X.X>===10.21.20.0/24; prospective erouted; eroute owner: #0
000 "EBS-Secret":     myip=unset; hisip=unset;
000 "EBS-Secret":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "EBS-Secret":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: eth0;
000 "EBS-Secret":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "EBS-Secret":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=strict
000 "EBS-Secret":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
000 "EBS-Secret":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "EBS-Secret":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #28: "EBS-Secret":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 10s; lastdpd=-1s(seq in:0 out:0); idle; import:admin
 initiate
000
----------------------------------------------------------------------------------------

root at TG1:~# tcpdump -n host 196.29.X.X

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:51:11.243703 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident
09:51:11.383140 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident
09:51:11.384371 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident
09:51:11.529912 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident
09:51:11.531095 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident[E]
09:51:11.671093 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident[E]
09:51:11.672177 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:51:11.812926 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 2/others R inf[E]
09:51:11.836898 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 2/others R inf[E]
09:51:11.837239 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I inf[E]
09:51:21.847559 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:51:41.672460 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:52:21.712957 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident
09:52:21.852870 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident
09:52:21.853716 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident
09:52:21.999297 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident
09:52:22.000338 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident[E]
09:52:22.140143 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident[E]
09:52:22.141241 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:52:22.282065 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 2/others R inf[E]
09:52:22.283794 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 2/others R inf[E]
09:52:22.284002 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I inf[E]
09:52:32.294222 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:52:52.141459 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:53:32.161163 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident
09:53:32.300762 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident
09:53:32.301629 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident
09:53:32.446954 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident
09:53:32.448151 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 1 I ident[E]
09:53:32.587554 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 1 R ident[E]
09:53:32.589069 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I oakley-quick[E]
09:53:32.734772 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 2/others R inf[E]
09:53:32.736459 IP 196.29.X.X.500 > 89.40.X.X.500: isakmp: phase 2/others R inf[E]
09:53:32.736604 IP 89.40.X.X.500 > 196.29.X.X.500: isakmp: phase 2/others I inf[E]

waiting for your response

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20161126/6a901dad/attachment.html>

More information about the sdnog mailing list