Hi Nick, Great thanks for the feedback. I've removed all spaces and am seeing the same result. I'm awaiting some logs from the remote which I'll forward on as soon as I get it.
Regards Ian On Wed, Nov 2, 2016 at 9:22 AM, Nick Howitt <[email protected]> wrote: > Don't have any blank lines in a conn definition. > > On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes <[email protected]> > wrote: > >> Hi All, >> >> I'm having huge issues setting up an IPSec tunnel from a Libreswan system >> to Huawei VRP device and was hoping someone could assist me in pinpointing >> what the error is >> >> Here are the logs from the connection: http://pastebin.com/vCY5GLG0 >> >> *Here is my ipsec.conf* >> # >> version 2.0 # conforms to second version of ipsec.conf specification >> >> # basic configuration >> config setup >> nat_traversal=yes >> virtual_private=%v:10.0.0.0/16 >> oe=off >> protostack=netkey >> interfaces=%defaultroute >> klipsdebug=none >> uniqueids=yes >> plutodebug="control parsing" >> plutostderrlog=/var/log/ipsec.log >> >> #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and >> uncomment this. >> include /etc/ipsec.d/*.conf >> >> *Here is my host-prd.conf* >> conn host-prd >> ##### Local >> left=externalIP >> leftid=@LOCALID >> leftsubnet=externalIP/32 >> leftnexthop=%defaultroute >> >> ##### Remote >> right=REMOTEIDIP >> rightid=REMOTEIDIP >> rightsubnets={172.25.48.43/32 172.25.48.36/32} >> rightnexthop=%defaultroute >> >> ##### Auth Options >> authby=secret >> rekey=no >> aggrmode=no >> forceencaps=no >> >> ##### Phase 1 >> ike=3des-md5-modp1024 >> ikelifetime="28800" >> >> ##### Phase 2 >> esp=3des-md5 >> keylife="3600" >> pfs=no >> >> ##### Connection Options >> type=tunnel >> auto=start >> compress=no >> >> *Here is my ipsec.secrets* >> @LOCALID REMOTEIDIP : PSK "SOMEPSKHERE" >> >> *Here is an ipsec verify (SIDE NOTE: I cant find the errors?!)* >> Verifying installed system and configuration files >> >> Version check and ipsec on-path [OK] >> Libreswan 3.15 (netkey) on 2.6.32-504.16.2.el6.x86_64 >> Checking for IPsec support in kernel [OK] >> NETKEY: Testing XFRM related proc values >> ICMP default/send_redirects [OK] >> ICMP default/accept_redirects [OK] >> XFRM larval drop [OK] >> Pluto ipsec.conf syntax [OK] >> Hardware random device [N/A] >> Two or more interfaces found, checking IP forwarding [OK] >> Checking rp_filter [ENABLED] >> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] >> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] >> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] >> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] >> rp_filter is not fully aware of IPsec and should be disabled >> Checking that pluto is running [OK] >> Pluto listening for IKE on udp 500 [OK] >> Pluto listening for IKE/NAT-T on udp 4500 [OK] >> Pluto ipsec.secret syntax [OK] >> Checking 'ip' command [OK] >> Checking 'iptables' command [OK] >> Checking 'prelink' command does not interfere with FIPSChecking for >> obsolete ipsec.conf options [OK] >> Opportunistic Encryption [DISABLED] >> >> ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help >> >> *Here is an ipsec status after a few minutes* >> 000 using kernel interface: netkey >> 000 interface lo/lo ::1@500 >> 000 interface lo/lo 127.0.0.1@4500 >> 000 interface lo/lo 127.0.0.1@500 >> 000 interface eth0/eth0 externalIP@4500 >> 000 interface eth0/eth0 externalIP@500 >> 000 interface eth1/eth1 10.0.64.10@4500 >> 000 interface eth1/eth1 10.0.64.10@500 >> 000 >> 000 >> 000 fips mode=disabled; >> 000 SElinux=disabled >> 000 >> 000 config setup options: >> 000 >> 000 configdir=/etc, configfile=/etc/ipsec.conf, >> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto, >> statsbin=unset >> 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec >> 000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15 >> 000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, >> xfrmlifetime=300s >> 000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto >> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, >> nflog-all=0 >> 000 secctx-attr-type=32001 >> 000 myid = (none) >> 000 debug parsing+control >> 000 >> 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 >> 000 virtual-private (%priv): >> 000 >> 000 ESP algorithms supported: >> 000 >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, >> keysizemax=192 >> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, >> keysizemax=128 >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, >> keysizemax=0 >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, >> keysizemax=256 >> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, >> keysizemin=128, keysizemax=128 >> 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, >> keysizemin=160, keysizemax=160 >> 000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, >> keysizemin=256, keysizemax=256 >> 000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, >> keysizemin=384, keysizemax=384 >> 000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, >> keysizemin=512, keysizemax=512 >> 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, >> keysizemin=160, keysizemax=160 >> 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, >> keysizemin=128, keysizemax=128 >> 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, >> keysizemin=0, keysizemax=0 >> 000 >> 000 IKE algorithms supported: >> 000 >> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, >> blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, >> blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, >> blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, >> v2name=3DES, blocksize=8, keydeflen=192 >> 000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, >> v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, >> v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, >> v2name=AES_GCM_C, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, >> v2name=AES_GCM_B, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, >> v2name=AES_GCM_A, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, >> v2name=AES_CTR, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, >> v2name=AES_CBC, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, >> v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, >> v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 >> 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, >> v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16 >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20 >> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32 >> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48 >> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64 >> 000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16 >> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 >> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 >> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 >> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 >> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 >> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 >> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 >> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 >> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 >> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 >> 000 >> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} >> trans={0,2,6144} attrs={0,2,4096} >> 000 >> 000 Connection list: >> 000 >> 000 "host-prd/0x1": externalIP/32===externalIP<externalIP>[@LIDTECH]--- >> defaultGW...REMOTEIDIP<REMOTEIDIP>===172.25.48.43/32; prospective >> erouted; eroute owner: #0 >> 000 "host-prd/0x1": oriented; my_ip=unset; their_ip=unset >> 000 "host-prd/0x1": xauth info: us:none, them:none, >> my_xauthuser=[any]; their_xauthuser=[any] >> 000 "host-prd/0x1": modecfg info: us:none, them:none, modecfg >> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; >> 000 "host-prd/0x1": labeled_ipsec:no; >> 000 "host-prd/0x1": policy_label:unset; >> 000 "host-prd/0x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: >> 540s; rekey_fuzz: 100%; keyingtries: 0; >> 000 "host-prd/0x1": retransmit-interval: 500ms; retransmit-timeout: 60s; >> 000 "host-prd/0x1": sha2_truncbug:no; initial_contact:no; >> cisco_unity:no; send_vendorid:no; >> 000 "host-prd/0x1": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+ >> UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW; >> 000 "host-prd/0x1": conn_prio: 32,32; interface: eth0; metric: 0; mtu: >> unset; sa_prio:auto; nflog-group: unset; >> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0; >> 000 "host-prd/0x1": aliases: host-prd >> 000 "host-prd/0x1": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000- >> MODP1024(2) >> 000 "host-prd/0x1": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128- >> MODP1024(2) >> 000 "host-prd/0x1": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000 >> 000 "host-prd/0x1": ESP algorithms loaded: 3DES(3)_000-MD5(1)_000 >> 000 "host-prd/0x2": externalIP/32===externalIP<externalIP>[@LIDTECH]--- >> defaultGW...REMOTEIDIP<REMOTEIDIP>===172.25.48.36/32; prospective >> erouted; eroute owner: #0 >> 000 "host-prd/0x2": oriented; my_ip=unset; their_ip=unset >> 000 "host-prd/0x2": xauth info: us:none, them:none, >> my_xauthuser=[any]; their_xauthuser=[any] >> 000 "host-prd/0x2": modecfg info: us:none, them:none, modecfg >> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; >> 000 "host-prd/0x2": labeled_ipsec:no; >> 000 "host-prd/0x2": policy_label:unset; >> 000 "host-prd/0x2": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: >> 540s; rekey_fuzz: 100%; keyingtries: 0; >> 000 "host-prd/0x2": retransmit-interval: 500ms; retransmit-timeout: 60s; >> 000 "host-prd/0x2": sha2_truncbug:no; initial_contact:no; >> cisco_unity:no; send_vendorid:no; >> 000 "host-prd/0x2": policy: PSK+ENCRYPT+TUNNEL+DONT_REKEY+ >> UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW; >> 000 "host-prd/0x2": conn_prio: 32,32; interface: eth0; metric: 0; mtu: >> unset; sa_prio:auto; nflog-group: unset; >> 000 "host-prd/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0; >> 000 "host-prd/0x2": aliases: host-prd >> 000 "host-prd/0x2": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000- >> MODP1024(2) >> 000 "host-prd/0x2": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128- >> MODP1024(2) >> 000 "host-prd/0x2": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000 >> 000 "host-prd/0x2": ESP algorithms loaded: 3DES(3)_000-MD5(1)_000 >> 000 >> 000 Total IPsec connections: loaded 2, active 0 >> 000 >> 000 State Information: DDoS cookies not required, Accepting new IKE >> connections >> 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), >> anonymous(0) >> 000 IPsec SAs: total(0), authenticated(0), anonymous(0) >> 000 >> 000 Bare Shunt list: >> 000 >> >> *Here is the last part of an ipsec status before the connection "times >> out":* >> >> 000 #1: "host-prd/0x2":500 STATE_MAIN_I3 (sent MI3, expecting MR3); >> EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin initiate >> 000 #1: pending Phase 2 for "mtn-ug-prd/0x1" replacing #0 >> 000 #1: pending Phase 2 for "mtn-ug-prd/0x2" replacing #0 >> >> My suspicion is that this is a misconfiguration on their end, but not >> sure what though... >> >> Any advice would be great - thanks in advance >> >> Ian >> >> ------------------------------ >> >> Swan mailing list >> [email protected] >> https://lists.libreswan.org/mailman/listinfo/swan >> >> > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
