Hi All, I've got a breakdown of the configs from the remote end: ACL name LOCALID rule permit ip source 172.25.48.43 0 destination 10.0.64.66 0 rule permit ip source 172.25.48.36 0 destination 10.0.64.66 rule permit ip source 172.25.48.43 0 destination 10.0.64.1 rule permit ip source 172.25.48.36 0 destination 10.0.64.1 rule permit ip source 172.25.48.43 0 destination 10.0.64.10 rule permit ip source 172.25.48.36 0 destination 10.0.64.10 rule permit ip source 172.25.48.43 0 destination 10.0.64.201 rule permit ip source 172.25.48.36 0 destination 10.0.64.201
Ike Proposal 10 encryption-algorithm 3des authentication-algorithm md5 dh-group2 sa duration 28800 ike peer LOCALID pre-shared key "SOMEPSKHERE" ike-proposal 10 remote-address externalIP remote-id LOCALID Local-id-type ip ipsec proposal LOCALID encapsulation-mode tunnel esp authentication-algorithm sha1 esp encryption-algorithm 3des ipsec policy LOCALID 1 isakmp security acl name LOCALID ike-peer LOCALID proposal LOCALID sa duration time-based 3600 interface Tunnel 0/0/41 ip address remoteIDIP 255.255.255.255 tunnel-protocol ipsec ipsec policy LOCALID ip route-static 10.0.64.136 255.255.255.255 Tunnel0/0/41 externalIP ip route-static 10.0.64.1 255.255.255.255 Tunnel0/0/41 externalIP ip route-static 10.0.64.10 255.255.255.255 Tunnel0/0/41 externalIP ip route-static 10.0.64.201 255.255.255.255 Tunnel0/0/41 externalIP ip route-static 10.0.64.137 255.255.255.255 Tunnel0/0/41 externalIP ip route-static 10.0.64.66 255.255.255.255 Tunnel0/0/41 externalIP And here are the remote Huawei logs: http://pastebin.com/G90q7Aed Any ideas as to what could be wrong would be great - quite stuck at the moment! Regards Ian On Wed, Nov 2, 2016 at 10:32 AM Ian Barnes <[email protected]> wrote: > Hi Nick, > > That was part of debugging over the last few days trying to see if it made > any difference - but it didnt. The connection itself never gets > established, it just sits pending phase 2 and then stops after 10 attempts. > > Cheers > Ian > > > On Wed, Nov 2, 2016 at 10:26 AM Nick Howitt <[email protected]> wrote: > > How long is the connection running before it times out? 1h? Is there any > reason you've set rekey=no? > > Nick > > On 2016-11-02 07:31, Ian Barnes wrote: > > Hi Nick, > > > > Great thanks for the feedback. I've removed all spaces and am seeing > > the same result. I'm awaiting some logs from the remote which I'll > > forward on as soon as I get it. > > > > Regards > > Ian > > > > On Wed, Nov 2, 2016 at 9:22 AM, Nick Howitt <[email protected]> > > wrote: > > > >> Don't have any blank lines in a conn definition. > >> > >> On 2 November 2016 02:54:43 GMT+00:00, Ian Barnes > >> <[email protected]> wrote: > >> > >>> Hi All, > >>> > >>> I'm having huge issues setting up an IPSec tunnel from a Libreswan > >>> system to Huawei VRP device and was hoping someone could assist me > >>> in pinpointing what the error is > >>> > >>> Here are the logs from the connection: > >>> http://pastebin.com/vCY5GLG0 [2] > >>> > >>> HERE IS MY IPSEC.CONF > >>> # > >>> > >>> version 2.0 # conforms to second version of ipsec.conf > >>> specification > >>> > >>> # basic configuration > >>> config setup > >>> nat_traversal=yes > >>> > >>> virtual_private=%v:10.0.0.0/16 [3] > >>> oe=off > >>> protostack=netkey > >>> > >>> interfaces=%defaultroute > >>> klipsdebug=none > >>> uniqueids=yes > >>> > >>> plutodebug="control parsing" > >>> plutostderrlog=/var/log/ipsec.log > >>> > >>> #You may put your configuration (.conf) file in the > >>> "/etc/ipsec.d/" and uncomment this. > >>> include /etc/ipsec.d/*.conf > >>> > >>> HERE IS MY HOST-PRD.CONF > >>> > >>> conn host-prd > >>> ##### Local > >>> left=externalIP > >>> leftid=@LOCALID > >>> leftsubnet=externalIP/32 > >>> leftnexthop=%defaultroute > >>> > >>> ##### Remote > >>> right=REMOTEIDIP > >>> rightid=REMOTEIDIP > >>> rightsubnets={172.25.48.43/32 [4] 172.25.48.36/32 [5]} > >>> rightnexthop=%defaultroute > >>> > >>> ##### Auth Options > >>> authby=secret > >>> rekey=no > >>> aggrmode=no > >>> forceencaps=no > >>> > >>> ##### Phase 1 > >>> ike=3des-md5-modp1024 > >>> ikelifetime="28800" > >>> > >>> ##### Phase 2 > >>> esp=3des-md5 > >>> keylife="3600" > >>> pfs=no > >>> > >>> ##### Connection Options > >>> type=tunnel > >>> auto=start > >>> compress=no > >>> > >>> HERE IS MY IPSEC.SECRETS > >>> @LOCALID REMOTEIDIP : PSK "SOMEPSKHERE" > >>> > >>> HERE IS AN IPSEC VERIFY (SIDE NOTE: I CANT FIND THE ERRORS?!) > >>> > >>> Verifying installed system and configuration files > >>> > >>> Version check and ipsec on-path [OK] > >>> Libreswan 3.15 (netkey) on 2.6.32-504.16.2.el6.x86_64 > >>> Checking for IPsec support in kernel [OK] > >>> NETKEY: Testing XFRM related proc values > >>> ICMP default/send_redirects [OK] > >>> ICMP default/accept_redirects [OK] > >>> XFRM larval drop [OK] > >>> Pluto ipsec.conf syntax [OK] > >>> Hardware random device [N/A] > >>> Two or more interfaces found, checking IP forwarding [OK] > >>> Checking rp_filter [ENABLED] > >>> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] > >>> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED] > >>> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] > >>> /proc/sys/net/ipv4/conf/eth1/rp_filter [ENABLED] > >>> rp_filter is not fully aware of IPsec and should be disabled > >>> Checking that pluto is running [OK] > >>> Pluto listening for IKE on udp 500 [OK] > >>> Pluto listening for IKE/NAT-T on udp 4500 [OK] > >>> Pluto ipsec.secret syntax [OK] > >>> Checking 'ip' command [OK] > >>> Checking 'iptables' command [OK] > >>> Checking 'prelink' command does not interfere with FIPSChecking > >>> for obsolete ipsec.conf options [OK] > >>> Opportunistic Encryption [DISABLED] > >>> > >>> ipsec verify: encountered 9 errors - see 'man ipsec_verify' for > >>> help > >>> > >>> HERE IS AN IPSEC STATUS AFTER A FEW MINUTES > >>> > >>> 000 using kernel interface: netkey > >>> 000 interface lo/lo ::1@500 > >>> 000 interface lo/lo 127.0.0.1@4500 > >>> 000 interface lo/lo 127.0.0.1@500 > >>> 000 interface eth0/eth0 externalIP@4500 > >>> 000 interface eth0/eth0 externalIP@500 > >>> 000 interface eth1/eth1 10.0.64.10@4500 > >>> 000 interface eth1/eth1 10.0.64.10@500 > >>> 000 > >>> 000 > >>> 000 fips mode=disabled; > >>> 000 SElinux=disabled > >>> 000 > >>> 000 config setup options: > >>> 000 > >>> 000 configdir=/etc, configfile=/etc/ipsec.conf, > >>> secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, > >>> dumpdir=/var/run/pluto, statsbin=unset > >>> 000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec > >>> 000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15 > >>> 000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, > >>> xfrmlifetime=300s > >>> 000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, > >>> ddos-mode=auto > >>> 000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, > >>> listen=<any>, nflog-all=0 > >>> 000 secctx-attr-type=32001 > >>> 000 myid = (none) > >>> 000 debug parsing+control > >>> 000 > >>> 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 > >>> 000 virtual-private (%priv): > >>> 000 > >>> 000 ESP algorithms supported: > >>> 000 > >>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, > >>> keysizemin=192, keysizemax=192 > >>> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, > >>> keysizemin=128, keysizemax=128 > >>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, > >>> keysizemin=0, keysizemax=0 > >>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, > >>> keysizemin=128, keysizemax=256 > >>> 000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, > >>> keysizemin=128, keysizemax=128 > >>> 000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, > >>> keysizemin=160, keysizemax=160 > >>> 000 algorithm AH/ESP auth: id=5, > >>> name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 > >>> 000 algorithm AH/ESP auth: id=6, > >>> name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 > >>> 000 algorithm AH/ESP auth: id=7, > >>> name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 > >>> 000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, > >>> keysizemin=160, keysizemax=160 > >>> 000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, > >>> keysizemin=128, keysizemax=128 > >>> 000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, > >>> keysizemin=0, keysizemax=0 > >>> 000 > >>> 000 IKE algorithms supported: > >>> 000 > >>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, > >>> v2name=AES_CCM_C, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, > >>> v2name=AES_CCM_B, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, > >>> v2name=AES_CCM_A, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, > >>> v2name=3DES, blocksize=8, keydeflen=192 > >>> 000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, > >>> v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, > >>> v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, > >>> v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, > >>> v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, > >>> v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, > >>> v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, > >>> v2name=AES_CBC, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, > >>> v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, > >>> v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 > >>> 000 algorithm IKE encrypt: v1id=65289, > >>> v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, > >>> blocksize=16, keydeflen=128 > >>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16 > >>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20 > >>> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32 > >>> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48 > >>> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64 > >>> 000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, > >>> hashlen=16 > >>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, > >>> bits=1024 > >>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, > >>> bits=1536 > >>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, > >>> bits=2048 > >>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, > >>> bits=3072 > >>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, > >>> bits=4096 > >>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, > >>> bits=6144 > >>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, > >>> bits=8192 > >>> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, > >>> bits=1024 > >>> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, > >>> bits=2048 > >>> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, > >>> bits=2048 > >>> 000 > >>> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} > >>> trans={0,2,6144} attrs={0,2,4096} > >>> 000 > >>> 000 Connection list: > >>> 000 > >>> 000 "host-prd/0x1": > >>> > >> > > > externalIP/32===externalIP<externalIP>[@LIDTECH]---defaultGW...REMOTEIDIP<REMOTEIDIP>=== > 172.25.48.43/32 > >>> [4]; prospective erouted; eroute owner: #0 > >>> 000 "host-prd/0x1": oriented; my_ip=unset; their_ip=unset > >>> 000 "host-prd/0x1": xauth info: us:none, them:none, > >>> my_xauthuser=[any]; their_xauthuser=[any] > >>> 000 "host-prd/0x1": modecfg info: us:none, them:none, modecfg > >>> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; > >>> 000 "host-prd/0x1": labeled_ipsec:no; > >>> 000 "host-prd/0x1": policy_label:unset; > >>> 000 "host-prd/0x1": ike_life: 28800s; ipsec_life: 3600s; > >>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; > >>> 000 "host-prd/0x1": retransmit-interval: 500ms; > >>> retransmit-timeout: 60s; > >>> 000 "host-prd/0x1": sha2_truncbug:no; initial_contact:no; > >>> cisco_unity:no; send_vendorid:no; > >>> 000 "host-prd/0x1": policy: > >>> > >> > > > PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW; > >>> 000 "host-prd/0x1": conn_prio: 32,32; interface: eth0; metric: > >>> 0; mtu: unset; sa_prio:auto; nflog-group: unset; > >>> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0; > >>> 000 "host-prd/0x1": aliases: host-prd > >>> 000 "host-prd/0x1": IKE algorithms wanted: > >>> 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2) > >>> 000 "host-prd/0x1": IKE algorithms found: > >>> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) > >>> 000 "host-prd/0x1": ESP algorithms wanted: > >>> 3DES(3)_000-MD5(1)_000 > >>> 000 "host-prd/0x1": ESP algorithms loaded: > >>> 3DES(3)_000-MD5(1)_000 > >>> 000 "host-prd/0x2": > >>> > >> > > > externalIP/32===externalIP<externalIP>[@LIDTECH]---defaultGW...REMOTEIDIP<REMOTEIDIP>=== > 172.25.48.36/32 > >>> [5]; prospective erouted; eroute owner: #0 > >>> 000 "host-prd/0x2": oriented; my_ip=unset; their_ip=unset > >>> 000 "host-prd/0x2": xauth info: us:none, them:none, > >>> my_xauthuser=[any]; their_xauthuser=[any] > >>> 000 "host-prd/0x2": modecfg info: us:none, them:none, modecfg > >>> policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; > >>> 000 "host-prd/0x2": labeled_ipsec:no; > >>> 000 "host-prd/0x2": policy_label:unset; > >>> 000 "host-prd/0x2": ike_life: 28800s; ipsec_life: 3600s; > >>> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; > >>> 000 "host-prd/0x2": retransmit-interval: 500ms; > >>> retransmit-timeout: 60s; > >>> 000 "host-prd/0x2": sha2_truncbug:no; initial_contact:no; > >>> cisco_unity:no; send_vendorid:no; > >>> 000 "host-prd/0x2": policy: > >>> > >> > > > PSK+ENCRYPT+TUNNEL+DONT_REKEY+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW; > >>> 000 "host-prd/0x2": conn_prio: 32,32; interface: eth0; metric: > >>> 0; mtu: unset; sa_prio:auto; nflog-group: unset; > >>> 000 "host-prd/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0; > >>> 000 "host-prd/0x2": aliases: host-prd > >>> 000 "host-prd/0x2": IKE algorithms wanted: > >>> 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2) > >>> 000 "host-prd/0x2": IKE algorithms found: > >>> 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) > >>> 000 "host-prd/0x2": ESP algorithms wanted: > >>> 3DES(3)_000-MD5(1)_000 > >>> 000 "host-prd/0x2": ESP algorithms loaded: > >>> 3DES(3)_000-MD5(1)_000 > >>> 000 > >>> 000 Total IPsec connections: loaded 2, active 0 > >>> 000 > >>> 000 State Information: DDoS cookies not required, Accepting new > >>> IKE connections > >>> 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), > >>> anonymous(0) > >>> 000 IPsec SAs: total(0), authenticated(0), anonymous(0) > >>> 000 > >>> 000 Bare Shunt list: > >>> 000 > >>> > >>> HERE IS THE LAST PART OF AN IPSEC STATUS BEFORE THE CONNECTION > >>> "TIMES OUT": > >>> > >>> 000 #1: "host-prd/0x2":500 STATE_MAIN_I3 (sent MI3, expecting > >>> MR3); EVENT_v1_RETRANSMIT in 0s; nodpd; idle; import:admin > >>> initiate > >>> 000 #1: pending Phase 2 for "mtn-ug-prd/0x1" replacing #0 > >>> 000 #1: pending Phase 2 for "mtn-ug-prd/0x2" replacing #0 > >>> > >>> My suspicion is that this is a misconfiguration on their end, but > >>> not sure what though... > >>> > >>> Any advice would be great - thanks in advance > >>> > >>> Ian > >>> > >>> ------------------------- > >>> > >>> Swan mailing list > >>> [email protected] > >>> https://lists.libreswan.org/mailman/listinfo/swan [1] > >> > >> -- > >> Sent from my Android device with K-9 Mail. Please excuse my brevity. > > > > > > > > Links: > > ------ > > [1] https://lists.libreswan.org/mailman/listinfo/swan > > [2] http://pastebin.com/vCY5GLG0 > > [3] http://10.0.0.0/16 > > [4] http://172.25.48.43/32 > > [5] http://172.25.48.36/32 > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
