have a CentOS 7.6 with Libreswan connected to an IPSec Checkpoint VPN. I am having constant problems with this connection. Usually when I restart the connection it works until the key exchange, after changing the key no longer connects. Another problem is that several times happens to be with closed VPN, but does not traffic any packets in VPN, I restart the connection, CentOS and nothing, then I have to remove all the .db files from the /etc/ipsec.d folder /*.db, restarting CentOS so it returns to VPN. No problem with any kind of firewall rule, because there are none. There is a problem in Libreswan that I could not find the cause even that is giving this constant error. If I remove Libreswan and put in a Sonicwall everything works perfect, without any problems. So I need some help to identify this problem accurately and managed to find a solution that solves this issue. My configuration of ipsec.conf. conn VPN auto=start pfs=yes rekey=no authby=secret type=tunnel salifetime=28800 ikelifetime=28800 ike=3des-sha1;modp1024 phase2=esp phase2alg=3des-sha1;modp1024 left=XXX.XXX.XXX.154 leftsubnet=192.168.70.0/24 leftsourceip= XXX.XXX.XXX.154 right= XXX.XXX.XXX.4 rightsubnet=10.20.0.0/24 rightsourceip= XXX.XXX.XXX.4 # ipsec status 000 #1: "VPN":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE_IF_USED in 27571s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 #2: "VPN":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE_IF_USED in 27813s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
# ip -s xfrm policy src 192.168.70.0/24 dst 10.20.0.0/24 uid 0 dir out action allow index 425 priority 1042407 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-09-19 06:52:42 use 2019-09-19 06:52:48 tmpl src XXX.XXX.XXX.154 dst XXX.XXX.XXX.4 proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.20.0.0/24 dst 192.168.70.0/24 uid 0 dir fwd action allow index 418 priority 1042407 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-09-19 06:52:42 use - tmpl src XXX.XXX.XXX.4 dst XXX.XXX.XXX.154 proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff src 10.20.0.0/24 dst 192.168.70.0/24 uid 0 dir in action allow index 408 priority 1042407 ptype main share any flag (0x00000000) lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-09-19 06:52:42 use - tmpl src XXX.XXX.XXX.4 dst XXX.XXX.XXX.154 proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode tunnel level required share any enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff # ip -s xfrm state src XXX.XXX.XXX.4 dst XXX.XXX.XXX.154 proto esp spi 0xd39eadf2(3550391794) reqid 16397(0x0000400d) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) auth-trunc hmac(sha1) 0x367d65de14b34be5bb958c36f56af71e1dd2eb75 (160 bits) 96 enc cbc(des3_ede) 0x38a41547427a58a0305ee654daa831a7463332f40eac7434 (192 bits) anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 0(bytes), 0(packets) add 2019-09-19 06:52:42 use - stats: replay-window 0 replay 0 failed 0 src XXX.XXX.XXX.154 dst XXX.XXX.XXX.4 proto esp spi 0xc44f734d(3293541197) reqid 16397(0x0000400d) mode tunnel replay-window 32 seq 0x00000000 flag af-unspec (0x00100000) auth-trunc hmac(sha1) 0xb82c629aaf2c52addb0115904f0c2335f3d617e4 (160 bits) 96 enc cbc(des3_ede) 0xfb25fa0c2a23e4a0f78bcabed6067e20e5fcea5da29a5c9e (192 bits) anti-replay context: seq 0x0, oseq 0x3, bitmap 0x00000000 lifetime config: limit: soft (INF)(bytes), hard (INF)(bytes) limit: soft (INF)(packets), hard (INF)(packets) expire add: soft 0(sec), hard 0(sec) expire use: soft 0(sec), hard 0(sec) lifetime current: 252(bytes), 3(packets) add 2019-09-19 06:52:42 use 2019-09-19 06:52:46 stats: replay-window 0 replay 0 failed 0 [root@firewall ~]# cat /proc/net/xfrm_stat XfrmInError 0 XfrmInBufferError 0 XfrmInHdrError 0 XfrmInNoStates 0 XfrmInStateProtoError 0 XfrmInStateModeError 0 XfrmInStateSeqError 0 XfrmInStateExpired 0 XfrmInStateMismatch 0 XfrmInStateInvalid 0 XfrmInTmplMismatch 0 XfrmInNoPols 0 XfrmInPolBlock 0 XfrmInPolError 0 XfrmOutError 0 XfrmOutBundleGenError 0 XfrmOutBundleCheckError 0 XfrmOutNoStates 0 XfrmOutStateProtoError 0 XfrmOutStateModeError 0 XfrmOutStateSeqError 0 XfrmOutStateExpired 0 XfrmOutPolBlock 0 XfrmOutPolDead 0 XfrmOutPolError 0 XfrmFwdHdrError 0 XfrmOutStateInvalid 0
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan