have a CentOS 7.6 with Libreswan connected to an IPSec Checkpoint VPN. I
am having constant problems with this connection. Usually when I restart
the connection it works until the key exchange, after changing the key no
longer connects. Another problem is that several times happens to be with
closed VPN, but does not traffic any packets in VPN, I restart the
connection, CentOS and nothing, then I have to remove all the .db files
from the /etc/ipsec.d folder /*.db, restarting CentOS so it returns to VPN.
No problem with any kind of firewall rule, because there are none. There is
a problem in Libreswan that I could not find the cause even that is giving
this constant error. If I remove Libreswan and put in a Sonicwall
everything works perfect, without any problems. So I need some help to
identify this problem accurately and managed to find a solution that solves
this issue.
My configuration of ipsec.conf.
conn VPN
auto=start
pfs=yes
rekey=no
authby=secret
type=tunnel
salifetime=28800
ikelifetime=28800
ike=3des-sha1;modp1024
phase2=esp
phase2alg=3des-sha1;modp1024
left=XXX.XXX.XXX.154
leftsubnet=192.168.70.0/24
leftsourceip= XXX.XXX.XXX.154
right= XXX.XXX.XXX.4
rightsubnet=10.20.0.0/24
rightsourceip= XXX.XXX.XXX.4
# ipsec status
000 #1: "VPN":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 27571s; newest ISAKMP; lastdpd=-1s(seq in:0
out:0); idle; import:admin initiate
000 #2: "VPN":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE_IF_USED in 27813s; newest IPSEC; eroute owner; isakmp#1;
idle; import:admin initiate
# ip -s xfrm policy
src 192.168.70.0/24 dst 10.20.0.0/24 uid 0
dir out action allow index 425 priority 1042407 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-09-19 06:52:42 use 2019-09-19 06:52:48
tmpl src XXX.XXX.XXX.154 dst XXX.XXX.XXX.4
proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.20.0.0/24 dst 192.168.70.0/24 uid 0
dir fwd action allow index 418 priority 1042407 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-09-19 06:52:42 use -
tmpl src XXX.XXX.XXX.4 dst XXX.XXX.XXX.154
proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.20.0.0/24 dst 192.168.70.0/24 uid 0
dir in action allow index 408 priority 1042407 ptype main share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-09-19 06:52:42 use -
tmpl src XXX.XXX.XXX.4 dst XXX.XXX.XXX.154
proto esp spi 0x00000000(0) reqid 16397(0x0000400d) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
# ip -s xfrm state
src XXX.XXX.XXX.4 dst XXX.XXX.XXX.154
proto esp spi 0xd39eadf2(3550391794) reqid 16397(0x0000400d) mode
tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x367d65de14b34be5bb958c36f56af71e1dd2eb75
(160 bits) 96
enc cbc(des3_ede)
0x38a41547427a58a0305ee654daa831a7463332f40eac7434 (192 bits)
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2019-09-19 06:52:42 use -
stats:
replay-window 0 replay 0 failed 0
src XXX.XXX.XXX.154 dst XXX.XXX.XXX.4
proto esp spi 0xc44f734d(3293541197) reqid 16397(0x0000400d) mode
tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xb82c629aaf2c52addb0115904f0c2335f3d617e4
(160 bits) 96
enc cbc(des3_ede)
0xfb25fa0c2a23e4a0f78bcabed6067e20e5fcea5da29a5c9e (192 bits)
anti-replay context: seq 0x0, oseq 0x3, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
252(bytes), 3(packets)
add 2019-09-19 06:52:42 use 2019-09-19 06:52:46
stats:
replay-window 0 replay 0 failed 0
[root@firewall ~]# cat /proc/net/xfrm_stat
XfrmInError 0
XfrmInBufferError 0
XfrmInHdrError 0
XfrmInNoStates 0
XfrmInStateProtoError 0
XfrmInStateModeError 0
XfrmInStateSeqError 0
XfrmInStateExpired 0
XfrmInStateMismatch 0
XfrmInStateInvalid 0
XfrmInTmplMismatch 0
XfrmInNoPols 0
XfrmInPolBlock 0
XfrmInPolError 0
XfrmOutError 0
XfrmOutBundleGenError 0
XfrmOutBundleCheckError 0
XfrmOutNoStates 0
XfrmOutStateProtoError 0
XfrmOutStateModeError 0
XfrmOutStateSeqError 0
XfrmOutStateExpired 0
XfrmOutPolBlock 0
XfrmOutPolDead 0
XfrmOutPolError 0
XfrmFwdHdrError 0
XfrmOutStateInvalid 0
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan
