I run a number of linux boxes on various VPS providers that use IPsec
to connect tunnelled ip interfaces which then run OSPF.
This setup has work fine for a number of years.
Recently my systems seem to have upgraded from 5.0.4 to 5.1.1 and
everything has stopped working, a few connection will come up but most
won't.
All configs are under puppet management and therefore I am sure they
have not changed.
For example between hosts corgi and prom
[root@corgi:~] # cat /etc/strongswan/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
# Following need to go in setup part
# plutodebug="ike 2,knl 2,net 2"
# charondebug="ike 2,knl 2,net 2"
config setup
charonstart=yes
plutostart=yes
plutodebug="ike 0,knl 0,net 0"
charondebug="ike 0,knl 0,net 0"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
authby=psk
dpdaction=restart
closeaction=restart
dpddelay=30s
dpdtimeout=150s
include /etc/strongswan/*.conn.conf
[root@corgi:~] # cat /etc/strongswan/corgi-prom.conn.conf
conn corgi-prom
auto=route
left=%defaultroute
[email protected]
leftsourceip=10.7.1.11
leftsubnet=10.7.1.11/32
leftprotoport=gre
lefthostaccess=yes
right=37.247.54.124
[email protected]
rightsourceip=10.7.1.10
rightsubnet=10.7.1.10/32
righthostaccess=yes
type=tunnel
rightprotoport=gre
keyexchange=ikev2
[root@corgi:~] #
[root@prom:~] # cat /etc/strongswan/ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
# Following need to go in setup part
# plutodebug="ike 2,knl 2,net 2"
# charondebug="ike 2,knl 2,net 2"
config setup
charonstart=yes
plutostart=yes
plutodebug="all"
charondebug="all"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
mobike=no
authby=secret
dpdaction=restart
closeaction=restart
dpddelay=30s
dpdtimeout=150s
include /etc/strongswan/*.conn.conf
[root@prom:~] # cat /etc/strongswan/prom-corgi.conn.conf
conn prom-corgi
auto=route
left=%defaultroute
[email protected]
leftsourceip=10.7.1.10
leftsubnet=10.7.1.10/32
leftprotoport=gre
lefthostaccess=yes
right=185.35.77.128
[email protected]
rightsourceip=10.7.1.11
rightsubnet=10.7.1.11/32
righthostaccess=yes
type=tunnel
rightprotoport=gre
keyexchange=ikev2
[root@prom:~] #
[root@prom:~] # strongswan up prom-corgi
[root@prom:~] # tail -100 /var/log/messages
.
.
.
Feb 9 20:41:36 prom.zelotus.com charon: 07[IKE] giving up after 5 retransmits
Feb 9 20:41:36 prom.zelotus.com charon: 07[IKE] establishing IKE_SA
failed, peer not responding
Feb 9 20:41:41 prom.zelotus.com charon: 12[KNL] creating acquire job
for policy 10.7.1.10/32[gre] === 10.7.1.9/32[gre] with reqid {2}
Feb 9 20:41:41 prom.zelotus.com charon: 12[IKE] initiating Main Mode
IKE_SA prom-lfc[21] to 38.109.218.26
Feb 9 20:41:41 prom.zelotus.com charon: 12[ENC] generating ID_PROT
request 0 [ SA V V V V ]
Feb 9 20:41:41 prom.zelotus.com charon: 12[NET] sending packet: from
37.247.54.124[500] to 38.109.218.26[500] (220 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 07[KNL] creating acquire job
for policy 10.7.1.10/32[gre] === 10.7.1.11/32[gre] with reqid {3}
Feb 9 20:41:41 prom.zelotus.com charon: 07[IKE] initiating IKE_SA
prom-corgi[22] to 185.35.77.128
Feb 9 20:41:41 prom.zelotus.com charon: 08[KNL] creating acquire job
for policy 10.7.1.10/32[gre] === 10.7.1.4/32[gre] with reqid {1}
Feb 9 20:41:41 prom.zelotus.com charon: 16[IKE] initiating Main Mode
IKE_SA prom-vm-gateway[23] to 87.117.195.92
Feb 9 20:41:41 prom.zelotus.com charon: 16[ENC] generating ID_PROT
request 0 [ SA V V V V ]
Feb 9 20:41:41 prom.zelotus.com charon: 16[NET] sending packet: from
37.247.54.124[500] to 87.117.195.92[500] (220 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 07[ENC] generating
IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 9 20:41:41 prom.zelotus.com charon: 07[NET] sending packet: from
37.247.54.124[500] to 185.35.77.128[500] (708 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 03[NET] received packet: from
185.35.77.128[500] to 37.247.54.124[500] (440 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 03[ENC] parsed IKE_SA_INIT
response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Feb 9 20:41:41 prom.zelotus.com charon: 03[IKE] authentication of
'prom.zelotus.com' (myself) with pre-shared key
Feb 9 20:41:41 prom.zelotus.com charon: 03[IKE] establishing CHILD_SA
prom-corgi{3}
Feb 9 20:41:41 prom.zelotus.com charon: 03[ENC] generating IKE_AUTH
request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH)
N(EAP_ONLY) ]
Feb 9 20:41:41 prom.zelotus.com charon: 03[NET] sending packet: from
37.247.54.124[500] to 185.35.77.128[500] (428 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 05[NET] received packet: from
38.109.218.26[500] to 37.247.54.124[500] (40 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 05[ENC] parsed
INFORMATIONAL_V1 request 2915632631 [ N(NO_PROP) ]
Feb 9 20:41:41 prom.zelotus.com charon: 05[IKE] received
NO_PROPOSAL_CHOSEN error notify
Feb 9 20:41:41 prom.zelotus.com charon: 12[NET] received packet: from
185.35.77.128[500] to 37.247.54.124[500] (76 bytes)
Feb 9 20:41:41 prom.zelotus.com charon: 12[ENC] parsed IKE_AUTH
response 1 [ N(AUTH_FAILED) ]
Feb 9 20:41:41 prom.zelotus.com charon: 12[IKE] received
AUTHENTICATION_FAILED notify error
Feb 9 20:41:45 prom.zelotus.com charon: 06[IKE] sending retransmit 1
of request message ID 0, seq 1
Feb 9 20:41:45 prom.zelotus.com charon: 06[NET] sending packet: from
37.247.54.124[500] to 87.117.195.92[500] (220 bytes)
Feb 9 20:41:52 prom.zelotus.com charon: 13[IKE] sending retransmit 2
of request message ID 0, seq 1
Feb 9 20:41:52 prom.zelotus.com charon: 13[NET] sending packet: from
37.247.54.124[500] to 87.117.195.92[500] (220 bytes)
Feb 9 20:42:05 prom.zelotus.com charon: 07[IKE] sending retransmit 3
of request message ID 0, seq 1
Feb 9 20:42:05 prom.zelotus.com charon: 07[NET] sending packet: from
37.247.54.124[500] to 87.117.195.92[500] (220 bytes)
Feb 9 20:42:07 prom.zelotus.com charon: 10[NET] received packet: from
38.109.218.26[500] to 37.247.54.124[500] (924 bytes)
Feb 9 20:42:07 prom.zelotus.com charon: 10[ENC] parsed IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Feb 9 20:42:07 prom.zelotus.com charon: 10[IKE] no IKE config found
for 37.247.54.124...38.109.218.26, sending NO_PROPOSAL_CHOSEN
Feb 9 20:42:07 prom.zelotus.com charon: 10[ENC] generating
IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 9 20:42:07 prom.zelotus.com charon: 10[NET] sending packet: from
37.247.54.124[500] to 38.109.218.26[500] (36 bytes)
Feb 9 20:42:19 prom.zelotus.com kernel: GL LAST IN=eth0 OUT=
MAC=00:16:3c:a3:7c:a3:00:04:96:51:7b:d8:08:00 SRC=180.153.113.141
DST=37.247.54.124 LEN=40 TOS=0x00 PREC=0x00 TTL=41 ID=0 DF PROTO=TCP
SPT=22200 DPT=1723 WINDOW=8192 RES=0x00 SYN URGP=0
Feb 9 20:42:28 prom.zelotus.com charon: 06[IKE] sending retransmit 4
of request message ID 0, seq 1
Feb 9 20:42:28 prom.zelotus.com charon: 06[NET] sending packet: from
37.247.54.124[500] to 87.117.195.92[500] (220 bytes)
Feb 9 20:42:42 prom.zelotus.com kernel: GL LAST IN=eth0 OUT=
MAC=01:00:5e:00:00:01:00:04:96:51:7b:d8:08:00 SRC=37.247.54.1
DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=20287 PROTO=2
Feb 9 20:43:10 prom.zelotus.com charon: 03[IKE] sending retransmit 5
of request message ID 0, seq 1
Feb 9 20:43:10 prom.zelotus.com charon: 03[NET] sending packet: from
37.247.54.124[500] to 87.117.195.92[500] (220 bytes)
Feb 9 20:43:38 prom.zelotus.com charon: 00[DMN] signal of type SIGINT
received. Shutting down
Feb 9 20:43:38 prom.zelotus.com charon: 00[IKE] destroying IKE_SA in
state CONNECTING without notification
Is this is related to the NO_PROPOSAL_CHOSEN line ?
Also does Feb 9 20:41:41 prom.zelotus.com charon: 03[ENC] parsed
IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ] indicate charon thinks NAT is in play, as it isn't at
either end
ipsec.secrets contains
@corgi.zelotus.com @prom.zelotus.com : PSK THE KEY
Any help would be gratefully received as I can't find the old version
of 5.0.4 in the centos repos.
Thanks
Dean
--
Dean Smith
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
