I am attempting to configure a VPN tunnel between a Libreswan host (3.20-5, CentOS7) and a Cisco 881 router. I want to create a VTI interface on the CentOS7 host corresponding to a Tunnel interface on the Cisco router [we have some relatively complicated routing].
I have been able to peer the Cisco router and the Libreswan host in a straight-up assocation but when I attempt to change this over the a vrf-VTI configuration I am getting stuck. -- from the Cisco router, which is the branch office side -- *Apr 20 17:56:20.730: ISAKMP:(0): beginning Main Mode exchange *Apr 20 17:56:20.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500 peer_port 500 (I) MM_NO_STATE *Apr 20 17:56:20.730: ISAKMP:(0):Sending an IKE IPv4 Packet. *Apr 20 17:56:20.730: ISAKMP:(0):purging SA., sa=85431158, delme=85431158 *Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... *Apr 20 17:56:30.730: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1 *Apr 20 17:56:30.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE *Apr 20 17:56:30.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500 peer_port 500 (I) MM_NO_STATE *Apr 20 17:56:30.730: ISAKMP:(0):Sending an IKE IPv4 Packet. *Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE... *Apr 20 17:56:40.730: ISAKMP (0:0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1 *Apr 20 17:56:40.730: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE *Apr 20 17:56:40.730: ISAKMP:(0): sending packet to A.B.C.D my_port 500 peer_port 500 (I) MM_NO_STATE *Apr 20 17:56:40.730: ISAKMP:(0):Sending an IKE IPv4 Packet. *Apr 20 17:56:50.726: IPSEC(key_engine): request timer fired: count = 1, (identity) local= X.Y.W.X, remote= A.B.C.D, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4) *Apr 20 17:56:50.726: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= X.Y.W.X, remote= A.B.C.D, local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Apr 20 17:56:50.726: ISAKMP: set new node 0 to QM_IDLE *Apr 20 17:56:50.726: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local X.Y.W.X, remote A.B.C.D) *Apr 20 17:56:50.726: ISAKMP: Error while processing SA request: Failed to initialize SA -- Libreswan conn mhhs-vti mark=10/0xffffff ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 authby=secret left=A.B.C.D #strongswan outside address leftid=A.B.C.D #IKEID sent by strongswan right=X.Y.W.Z #IOS outside address rightid=X.Y.W.Z #IKEID sent by IOS auto=add vti-interface=vti01 vti-routing=no #type=tunnel #leftvti=172.16.4.5/24 -- Cisco Router crypto keyring branchoffice-keyring pre-shared-key address A.B.C.D key CiscoCiscoCiscoCiscoCisco ! crypto isakmp policy 100 encr aes authentication pre-share group 2 crypto isakmp profile branchoffice-ike keyring branchoffice-keyring match identity address A.B.C.D 255.255.255.255 RED isakmp authorization list default local-address FastEthernet4 ! crypto ipsec transform-set branchoffice-set esp-aes esp-sha-hmac ! crypto ipsec profile branchoffice-profile set transform-set branchoffice-set set isakmp-profile branchoffice-ike ! interface Tunnel0 ip vrf forwarding GREEN ip address 172.16.4.4 255.255.255.0 tunnel source FastEthernet4 tunnel destination A.B.C.D tunnel mode ipsec ipv4 tunnel protection ipsec profile branchoffice-profile ! interface FastEthernet4 description internet WAN link ip address X.Y.W.Z 255.255.255.224 duplex auto speed auto ! interface Vlan1 description cust1 private VRF ip vrf forwarding GREEN ip address 192.168.42.19 255.255.255.0 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 X.Y.W.V ip route vrf GREEN 0.0.0.0 0.0.0.0 172.16.4.5 -- Meetings Coordinator, Michigan Association of Railroad Passengers 537 Shirley St NE Grand Rapids, MI 49503-1754 Phone: 616.581.8010 E-mail: [email protected] GPG#D95ED383 Web: http://www.marp.org _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
