Paul, First of all, thanks for your reply and suggestion.
I cannot find anything related about IPSec SA in syslog even though I set klipsdebug=all and plutodebug=all in ipsec.conf. After restart ipsec, I found that in the remote peer, it seems succeeds according to the ipsec status as bellow. 000 vpn-0: "vpn-0-ipsectunnel-0": newest ISAKMP SA: #8; newest IPsec SA: #18; 000 vpn-0: "vpn-0-ipsectunnel-0": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2) 000 vpn-0: "vpn-0-ipsectunnel-0": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2) 000 vpn-0: "vpn-0-ipsectunnel-0": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024 000 vpn-0: "vpn-0-ipsectunnel-0": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2) 000 vpn-0: "vpn-0-ipsectunnel-0": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000 000 vpn-0: "vpn-0-ipsectunnel-0": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=MODP1024 000 vpn-0: 000 vpn-0: Total IPsec connections: loaded 1, active 1 000 vpn-0: 000 vpn-0: State Information: DDoS cookies not required, Accepting new IKE connections 000 vpn-0: IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 vpn-0: IPsec SAs: total(1), authenticated(1), anonymous(0) 000 vpn-0: 000 vpn-0: #18: "vpn-0-ipsectunnel-0":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 38s; newest IPSEC; eroute owner; isakmp#8; idle; import:local rekey 000 vpn-0: #18: "vpn-0-ipsectunnel-0" used 26s ago; [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic:! ESPmax=4194303B 000 vpn-0: #8: "vpn-0-ipsectunnel-0":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26635s; newest ISAKMP; lastdpd=11s(seq in:5909 out:0); idle; import:local rekey 000 vpn-0: 000 vpn-0: Bare Shunt list: 000 vpn-0: But on the local peer behind NAT gateway, it looks weird. The message shows IPsec SA installed but no established. IPsec connections active 0, and my end to end traffic still cannot go through. 000 "vpn-0": 0.0.0.0/0===10.0.0.1 <10.0.0.1>[10.2.128.241]...10.2.128.240<10.2.128.240>===0.0.0.0/0; unrouted; eroute owner: #0 000 "vpn-0": oriented; my_ip=unset; their_ip=unset; myup=/var/run/updown.klips 000 "vpn-0": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "vpn-0": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; 000 "vpn-0": labeled_ipsec:no; 000 "vpn-0": policy_label:unset; 000 "vpn-0": ike_life: 28800s; ipsec_life: 3600s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "vpn-0": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "vpn-0": sha2_truncbug:no; initial_contact:no; cisco_unity:no; fake_strongswan:no; send_vendorid:no; 000 "vpn-0": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "vpn-0": conn_prio: 0,0; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset; mark: unset; 000 "vpn-0": dpd: action:hold; delay:15; timeout:75; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both 000 "vpn-0": newest ISAKMP SA: #5; newest IPsec SA: #0; 000 "vpn-0": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2) 000 "vpn-0": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2) 000 "vpn-0": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024 000 "vpn-0": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2) 000 "vpn-0": ESP algorithms loaded: 3DES(3)_000-SHA1(2)_000 000 000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #15: "vpn-0":4500 STATE_QUICK_R1 (sent QR1, inbound IPsec SA installed, expecting QI2); EVENT_v1_RETRANSMIT in 2s; isakmp#5; idle; import:not set 000 #15: "vpn-0" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic:! ESPmax=4194303B 000 #5: "vpn-0":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 27399s; newest ISAKMP; lastdpd=18s(seq in:1072 out:0); idle; import:not set 000 000 Bare Shunt list: Looks like in phase 2, something wrong in the 2nd/3rd packet. I tcpdump the packets on local side and see 23:00:08.195272 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 1 ? ident[E] 23:00:08.215129 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 1 ? ident[E] 23:00:08.238236 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:08.339546 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:08.477468 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:08.791668 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:08.819497 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:09.292133 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:09.304959 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:10.294561 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:12.294304 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:16.296868 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:23.201352 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 23:00:23.212712 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 23:00:24.297207 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] 23:00:28.135880 IP 10.0.0.1.4500 > 10.2.128.240.4500: isakmp-nat-keep-alive 23:00:38.370317 IP 10.2.128.240.4500 > 10.0.0.1.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 23:00:38.378497 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? inf[E] 23:00:40.298093 IP 10.0.0.1.4500 > 10.2.128.240.4500: NONESP-encap: isakmp: phase 2/others ? oakley-quick[E] Just from this dump, it is difficult to find anything useful. Is there a way to see more detailed things about what happened in phase 2? Thanks, Toby Thanks, Toby On Tue, Jun 14, 2016 at 10:45 AM, Paul Wouters <[email protected]> wrote: > On Mon, 13 Jun 2016, Ge Xu wrote: > > I am testing a VPN behind of a NAT gateway. I tried libreswan 3.15 and >> 3.17 with same configuration. 3.15 succeeds, but 3.17 >> fails. >> > > I am not aware of anything specific causing that. > > 000 #2: "vpn-0":4500 STATE_QUICK_I1 (sent QI1, expecting QR1); >> EVENT_CRYPTO_FAILED in 54s; lastdpd=-1s(seq in:0 out:0); idle; >> import:admin initiate >> 000 #1: "vpn-0":4500 STATE_MAIN_I4 (ISAKMP SA established); >> EVENT_SA_REPLACE in 27801s; newest ISAKMP; lastdpd=-1s(seq in:0 >> out:0); idle; import:admin initiate >> > > It looks like the IPsec SA did not fully establish. Either your logs or > the remote endpoint's log should have an entry saying what went wrong. > > Paul > -- Ge (Toby) Xu
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
