Thanks for the quick response Timo.
You were quite right I was missing a /0 in my configs:
------incorrect_ipsec.conf----------
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 0.0.0.0 0.0.0.0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0 0.0.0.0 gre -P in ipsec esp/transport//require;
------end incorrect_ipsec.conf-----------------
this has now been amended to
------ipsec.conf-----------
#!/usr/sbin/setkey -f
flush;
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
--------end ipsec.conf----------
This now gives me:
--------setkey -DP-----------
0.0.0.0/0 0.0.0.0/0 gre
fwd prio def ipsec
esp/transport//require
created: Jan 1 14:34:24 2000 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3538 seq=53 pid=7363
refcnt=1
0.0.0.0/0 0.0.0.0/0 gre
in prio def ipsec
esp/transport//require
created: Jan 1 14:34:24 2000 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3528 seq=54 pid=7363
refcnt=1
0.0.0.0/0 0.0.0.0/0 gre
out prio def ipsec
esp/transport//require
created: Jan 1 14:34:24 2000 lastused:
lifetime: 0(s) validtime: 0(s)
spid=3521 seq=0 pid=7363
refcnt=1
--------end setkey -DP-----------
This is looking much better:
------current /var/log/messages--------
root: Run ESP Tunnel Setup - racoonctl establish-sa -w esp inet <local_ip>
<remote_ip> gre
racoon: INFO: initiate new phase 2
negotiation: <local_ip>[500]<=><remote_ip>[500]
racoon: alg_oakley_hmacdef_one(hmac_sha2_256 size=104): 0.000061
racoon: alg_oakley_encdef_encrypt(aes klen=128 size=144): 0.000061
racoon: phase2(quick I msg1): 0.001008
racoon: alg_oakley_encdef_decrypt(aes klen=128 size=80): 0.000061
racoon: alg_oakley_hmacdef_one(hmac_sha2_256 size=32): 0.000061
racoon: [<remote_ip>] ERROR: notification NO-PROPOSAL-CHOSEN received in
informational exchange.
racoon: [<remote_ip>] ERROR: error message: '8 '.
racoon: INFO: IPsec-SA expired: ESP/Transport
<remote_ip>5[500]-><local_ip>[500]
spi=42628736(0x28a7680)
racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being
negotiated. Stopping negotiation.
opennhrp[7126]: [<remote_gre_endpoint] Peer up script failed: exitstatus 1
I've moved on to the next phase 2 negotiation now, and just need to align
my Cisco/Linux configurations, which I am assuming is the sainfo set in the
racoon.conf?
sainfo anonymous
{
lifetime time 24 hour;
encryption_algorithm aes;
authentication_algorithm hmac_sha256;
compression_algorithm deflate ;
}
Thank you for your help, I am slightly embarrassed that it was something as
simple as a /0 that I missed though.
Much appreciated.
Regards,
Chris.
On 16 April 2015 at 09:15, Chris O'Shea <oshea.chris.ja...@gmail.com> wrote:
> Thanks for the quick response Timo.
>
> You were quite right I was missing a /0 in my configs:
>
> ------incorrect_ipsec.conf----------
>
> #!/usr/sbin/setkey -f
> flush;
> spdflush;
> spdadd 0.0.0.0 0.0.0.0 gre -P out ipsec esp/transport//require;
> spdadd 0.0.0.0 0.0.0.0 gre -P in ipsec esp/transport//require;
>
> ------end incorrect_ipsec.conf-----------------
>
> this has now been amended to
>
>
> ------ipsec.conf-----------
>
> #!/usr/sbin/setkey -f
> flush;
> spdflush;
> spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transport//require;
> spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport//require;
>
> --------end ipsec.conf----------
>
>
> This now gives me:
>
> --------setkey -DP-----------
>
> 0.0.0.0/0 0.0.0.0/0 gre
> fwd prio def ipsec
> esp/transport//require
> created: Jan 1 14:34:24 2000 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=3538 seq=53 pid=7363
> refcnt=1
> 0.0.0.0/0 0.0.0.0/0 gre
> in prio def ipsec
> esp/transport//require
> created: Jan 1 14:34:24 2000 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=3528 seq=54 pid=7363
> refcnt=1
> 0.0.0.0/0 0.0.0.0/0 gre
> out prio def ipsec
> esp/transport//require
> created: Jan 1 14:34:24 2000 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=3521 seq=0 pid=7363
> refcnt=1
>
> --------end setkey -DP-----------
>
>
> This is looking much better:
>
> ------current /var/log/messages--------
>
> root: Run ESP Tunnel Setup - racoonctl establish-sa -w esp inet <local_ip>
> <remote_ip> gre
> racoon: INFO: initiate new phase 2
> negotiation: <local_ip>[500]<=><remote_ip>[500]
> racoon: alg_oakley_hmacdef_one(hmac_sha2_256 size=104): 0.000061
> racoon: alg_oakley_encdef_encrypt(aes klen=128 size=144): 0.000061
> racoon: phase2(quick I msg1): 0.001008
> racoon: alg_oakley_encdef_decrypt(aes klen=128 size=80): 0.000061
> racoon: alg_oakley_hmacdef_one(hmac_sha2_256 size=32): 0.000061
> racoon: [209.168.202.225] ERROR: notification NO-PROPOSAL-CHOSEN received
> in informational exchange.
> racoon: [209.168.202.225] ERROR: error message: '8 '.
> racoon: INFO: IPsec-SA expired: ESP/Transport
> 209.168.202.225[500]->172.16.2.1[500] spi=42628736(0x28a7680)
> racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being
> negotiated. Stopping negotiation.
> opennhrp[7126]: [192.168.1.1] Peer up script failed: exitstatus 1
>
>
>
> I've moved on to the next phase 2 negotiation now, and just need to align
> my Cisco/Linux configurations, which I am assuming is the sainfo set in the
> racoon.conf?
>
> sainfo anonymous
> {
> lifetime time 24 hour;
> encryption_algorithm aes;
> authentication_algorithm hmac_sha256;
> compression_algorithm deflate ;
> }
>
>
>
> Thank you for your help, I am slightly embarrassed that it was something
> as simple as a /0 that I missed though.
>
> Much appreciated.
>
> Regards,
>
> Chris.
>
>
>
> On 16 April 2015 at 06:16, Timo Teras <timo.te...@iki.fi> wrote:
> > On Wed, 15 Apr 2015 19:46:10 +0100
> > "Chris O'Shea" <oshea.chris.ja...@gmail.com> wrote:
> >
> >> Good Evening all,
> >>
> >> I am currently working on a debian spoke to Cisco hub DMVPN solution.
> >>
> >> The initial ISAKMP phase goes well and a proposal is agreed, the
> >> opennhrp-script then runs on to the next line and calls:
> >>
> >> "racoonctl establish-sa -w esp inet <local interface ip> <remote
> >> interface
> >> ip> gre"
> >>
> >> and immediately after running this I get:
> >>
> >> "racoon: NOTIFY: no outbound policy found: <local interface ip>/32[0]
> >> <remote interface ip>/32[0] proto=47 dir=out"
> >>
> >> setkey -DP shows
> >>
> >> -----------------------
> >>
> >> 0.0.0.0 0.0.0.0 gre
> >> fwd prio def ipsec
> >> esp/transport//require
> >> created: Jan 1 00:54:11 2000 lastused:
> >> lifetime: 0(s) validtime: 0(s)
> >> spid=3098 seq=53 pid=4206
> >> refcnt=1
> >> 0.0.0.0 0.0.0.0 gre
> >> in prio def ipsec
> >> esp/transport//require
> >> created: Jan 1 00:54:11 2000 lastused:
> >> lifetime: 0(s) validtime: 0(s)
> >> spid=3088 seq=54 pid=4206
> >> refcnt=1
> >> 0.0.0.0 0.0.0.0 gre
> >> out prio def ipsec
> >> esp/transport//require
> >> created: Jan 1 00:54:11 2000 lastused:
> >> lifetime: 0(s) validtime: 0(s)
> >> spid=3081 seq=0 pid=4206
> >> refcnt=1
> >> ----------------------------
> >
> > How did you create these? I think they are missing "/0" from the
> > addresses. Sounds like these are now being treated as "/32" instead.
> > Please verify your ipsec.conf that it has "/0" after each address.
> >
> > /Timo
> >
>
>
------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
