Re: [Swan] Tunnels coming establishing and dropping quickly

Wed, 17 May 2017 07:18:53 -0700 

On Wed, 17 May 2017, Madden, Joe wrote:


We have having an issue with our Libreswan tunnels, They come up for a short 
amount of time before dropping off.


May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID 
payload [RFC 3947]
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID 
payload [FRAGMENTATION c0000000]
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: 
sent v2I1, expected v2R1


Looks like the other end does not like your proposal?



conn ssl-iptrafficsig-1
       authby=                 secret
       auto=                   start
       type=                   tunnel
       forceencaps=            no
       rekeymargin=            3m
       keyingtries=            %forever
       salifetime=             8h
       ikelifetime=            24h
       ikev2=                  insist
       initial-contact=        yes
       send_vendorid=          yes

       #RTT
       left=           10.59.31.49


Please remove empty lines, those denoate that a new conn section starts,
and you might be missing part of your configuration.


       leftnexthop=    10.59.31.54

       #SAA


Same here.


       right=          54.247.187.81
       rightid=        54.247.187.81
       rightsubnet=    10.199.0.0/28
       ike=            aes256-sha2_512;modp2048
       phase2=         esp
       phase2alg=      aes256-sha2_512;modp2048
       pfs=            yes
       sha2_truncbug=  no

       #Dead Peer Detection


And here.


Stronswan configuration looks like this:


######### Connection to Mott NRTS Gateway-PSK #####
conn motts_nrts_gateway
       type=tunnel
       authby=secret
       forceencaps=no
       keyexchange=ikev2
       left=10.199.0.4
       leftsubnet=10.199.0.0/28
       leftid=54.247.187.81
       #leftfirewall=yes
       rightfirewall=yes
       ike=aes256-sha2_512-modp2048
       esp=aes256-sha2_512-modp2048
       right=extip
       rightid=extip
       
rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26
       aggressive=no
       ikelifetime=24h
       keyingtries=%forever
       keylife=8h
       dpdaction=hold
       auto=start
######## End of MOTT NRTS Gateway Connection ###


Does anyone have any suggestions to what could be the issue?


What does the strongswan log say?

Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to