Hi - I managed to get this up with two fixes:
1) the esp/ike config was reversed (a miscommunication for config details), and 2) the cisco vpn 3000 concentrator did not appear to like multiple ips listed on the left(/right)subnets. i created seperate configurations, each representing a 1-1 route for the tunnel and it all worked. Thanks for your help! Ted On May 9, 2014, at 10:15 AM, Ted Lifset <[email protected]> wrote: > > > Thanks for the reply and suggestion Martin. > > Now the tunnel cycles constantly between created > connected > established > > deleted > destroying. > > After some changes to peer side, IKE (3des-sh1-hmac 160) and ESP (3des-md5) > have changed since I first wrote to the list. > > All suggestions greatly appreciated ! > > Log output with (charondebug = “dmn 2,mgr 2,ike 2,chd 2,job 1,cfg 2,knl 1,net > 1,tls 1,lib 1,enc 1,tnc 1,imv 1”): > > > May 9 16:56:11 ip-10-18-0-43 charon: 00[DMN] Starting IKE charon daemon > (strongSwan 5.1.2, Linux 3.13.0-24-generic, x86_64) > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loading ca certificates from > '/etc/ipsec.d/cacerts' > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loading aa certificates from > '/etc/ipsec.d/aacerts' > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loading ocsp signer > certificates from '/etc/ipsec.d/ocspcerts' > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loading attribute certificates > from '/etc/ipsec.d/acerts' > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loading crls from > '/etc/ipsec.d/crls' > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loading secrets from > '/etc/ipsec.secrets' > May 9 16:56:11 ip-10-18-0-43 charon: 00[CFG] loaded IKE secret for > PEER_EXTERNAL_IP MY_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 00[LIB] loaded plugins: charon > test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation > constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm > attr kernel-netlink resolve socket-default stroke updown eap-identity > addrblock > May 9 16:56:11 ip-10-18-0-43 charon: 00[LIB] unable to load 5 plugin > features (5 due to unmet dependencies) > May 9 16:56:11 ip-10-18-0-43 charon: 00[LIB] dropped capabilities, running > as uid 0, gid 0 > May 9 16:56:11 ip-10-18-0-43 charon: 00[JOB] spawning 16 worker threads > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] received stroke: add connection > 'test_conn' > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] conn test_conn > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] left=10.18.0.43 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] > leftsubnet=EXTERNAL_IP_OF_HOST_EXPOSED_TO_GATEWAY/32 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftsourceip=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftdns=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftauth=psk > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftauth2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftid=MY_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftid2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftrsakey=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftcert=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftcert2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftca=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftca2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftgroups=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftgroups2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] leftupdown=ipsec _updown > iptables > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] right=PEER_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] > rightsubnet=EXTERNAL_IP_THEM_1/32,EXTERNAL_IP_THEM_2/32,EXTERNAL_IP_THEM_3/32,EXTERNAL_IP_THEM_4/32,EXTERNAL_IP_THEM_5/32,EXTERNAL_IP_THEM_6/32,EXTERNAL_IP_THEM_7/32,EXTERNAL_IP_THEM_8/32 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightsourceip=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightdns=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightauth=psk > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightauth2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightid=PEER_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightid2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightrsakey=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightcert=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightcert2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightca=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightca2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightgroups=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightgroups2=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] rightupdown=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] eap_identity=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] aaa_identity=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] xauth_identity=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] ike=3des-sha1-modp1024! > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] esp=3des-md5! > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] ah=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] dpddelay=60 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] dpdtimeout=180 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] dpdaction=1 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] closeaction=0 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] mediation=no > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] mediated_by=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] me_peerid=(null) > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] keyexchange=ikev1 > May 9 16:56:11 ip-10-18-0-43 charon: 09[CFG] added configuration 'test_conn' > May 9 16:56:11 ip-10-18-0-43 charon: 11[CFG] received stroke: initiate > 'test_conn' > May 9 16:56:11 ip-10-18-0-43 charon: 11[MGR] checkout IKE_SA by config > May 9 16:56:11 ip-10-18-0-43 charon: 11[MGR] created IKE_SA (unnamed)[1] > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] queueing ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] queueing ISAKMP_CERT_PRE task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] queueing MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] queueing ISAKMP_CERT_POST task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] queueing ISAKMP_NATD task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] queueing QUICK_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] activating new tasks > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] activating ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] activating ISAKMP_CERT_PRE > task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] activating MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] activating ISAKMP_CERT_POST > task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] activating ISAKMP_NATD task > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] sending XAuth vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] sending DPD vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] sending FRAGMENTATION vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] sending NAT-T (RFC 3947) vendor > ID > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] sending > draft-ietf-ipsec-nat-t-ike-02\n vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] initiating Main Mode IKE_SA > test_conn[1] to PEER_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 11[IKE] IKE_SA test_conn[1] state > change: CREATED => CONNECTING > May 9 16:56:11 ip-10-18-0-43 charon: 11[CFG] configured proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 11[ENC] generating ID_PROT request 0 [ > SA V V V V V ] > May 9 16:56:11 ip-10-18-0-43 charon: 11[NET] sending packet: from > 10.18.0.43[500] to PEER_EXTERNAL_IP[500] (180 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 11[MGR] checkin IKE_SA test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 12[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 12[MGR] IKE_SA test_conn[1] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 12[NET] received packet: from > PEER_EXTERNAL_IP[500] to 10.18.0.43[500] (128 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 12[ENC] parsed ID_PROT response 0 [ SA > V V ] > May 9 16:56:11 ip-10-18-0-43 charon: 12[IKE] received > draft-ietf-ipsec-nat-t-ike-02\n vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 12[IKE] received FRAGMENTATION vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 12[CFG] selecting proposal: > May 9 16:56:11 ip-10-18-0-43 charon: 12[CFG] proposal matches > May 9 16:56:11 ip-10-18-0-43 charon: 12[CFG] received proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 12[CFG] configured proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 12[CFG] selected proposal: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 12[IKE] reinitiating already active > tasks > May 9 16:56:11 ip-10-18-0-43 charon: 12[IKE] ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 12[IKE] MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 12[ENC] generating ID_PROT request 0 [ > KE No NAT-D NAT-D ] > May 9 16:56:11 ip-10-18-0-43 charon: 12[NET] sending packet: from > 10.18.0.43[500] to PEER_EXTERNAL_IP[500] (244 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 12[MGR] checkin IKE_SA test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 12[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 13[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 13[MGR] IKE_SA test_conn[1] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 13[NET] received packet: from > PEER_EXTERNAL_IP[500] to 10.18.0.43[500] (304 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 13[ENC] parsed ID_PROT response 0 [ KE > No V V V V NAT-D NAT-D ] > May 9 16:56:11 ip-10-18-0-43 charon: 13[IKE] received Cisco Unity vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 13[IKE] received XAuth vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 13[ENC] received unknown vendor ID: > a7:54:86:dc:45:59:a2:c1:cb:25:bf:c7:94:75:83:ce > May 9 16:56:11 ip-10-18-0-43 charon: 13[ENC] received unknown vendor ID: > 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:04:07 > May 9 16:56:11 ip-10-18-0-43 charon: 13[IKE] local host is behind NAT, > sending keep alives > May 9 16:56:11 ip-10-18-0-43 charon: 13[IKE] reinitiating already active > tasks > May 9 16:56:11 ip-10-18-0-43 charon: 13[IKE] ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 13[IKE] MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 13[ENC] generating ID_PROT request 0 [ > ID HASH ] > May 9 16:56:11 ip-10-18-0-43 charon: 13[NET] sending packet: from > 10.18.0.43[4500] to PEER_EXTERNAL_IP[4500] (68 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 13[MGR] checkin IKE_SA test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 13[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 14[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 14[MGR] IKE_SA test_conn[1] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 14[NET] received packet: from > PEER_EXTERNAL_IP[4500] to 10.18.0.43[4500] (84 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 14[ENC] parsed ID_PROT response 0 [ ID > HASH V ] > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] received DPD vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] IKE_SA test_conn[1] established > between 10.18.0.43[MY_EXTERNAL_IP]...PEER_EXTERNAL_IP[PEER_EXTERNAL_IP] > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] IKE_SA test_conn[1] state > change: CONNECTING => ESTABLISHED > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] scheduling rekeying in 86055s > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] maximum IKE_SA lifetime 86235s > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] activating new tasks > May 9 16:56:11 ip-10-18-0-43 charon: 14[IKE] activating QUICK_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] configured proposals: > ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ > May 9 16:56:11 ip-10-18-0-43 charon: 15[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] configured proposals: > ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] proposing traffic selectors for > us: > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] > EXTERNAL_IP_OF_HOST_EXPOSED_TO_GATEWAY/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] proposing traffic selectors for > other: > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_1/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_2/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_3/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_4/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_5/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_6/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_7/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[CFG] EXTERNAL_IP_THEM_8/32 > May 9 16:56:11 ip-10-18-0-43 charon: 14[ENC] generating QUICK_MODE request > 1036177768 [ HASH SA No ID ID ] > May 9 16:56:11 ip-10-18-0-43 charon: 14[NET] sending packet: from > 10.18.0.43[4500] to PEER_EXTERNAL_IP[4500] (164 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 14[MGR] checkin IKE_SA test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 14[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 15[MGR] IKE_SA test_conn[1] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 15[NET] received packet: from > PEER_EXTERNAL_IP[4500] to 10.18.0.43[4500] (92 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 15[ENC] parsed INFORMATIONAL_V1 request > 2780168895 [ HASH N((24576)) ] > May 9 16:56:11 ip-10-18-0-43 charon: 15[IKE] received (24576) notify > May 9 16:56:11 ip-10-18-0-43 charon: 15[MGR] checkin IKE_SA test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 15[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 03[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 03[MGR] IKE_SA test_conn[1] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 03[NET] received packet: from > PEER_EXTERNAL_IP[4500] to 10.18.0.43[4500] (84 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 03[ENC] parsed INFORMATIONAL_V1 request > 1584107308 [ HASH D ] > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] received DELETE for IKE_SA > test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] deleting IKE_SA test_conn[1] > between 10.18.0.43[MY_EXTERNAL_IP]...PEER_EXTERNAL_IP[PEER_EXTERNAL_IP] > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] IKE_SA test_conn[1] state > change: ESTABLISHED => DELETING > May 9 16:56:11 ip-10-18-0-43 charon: 03[MGR] created IKE_SA (unnamed)[2] > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] queueing ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] queueing ISAKMP_CERT_PRE task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] queueing MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] queueing ISAKMP_CERT_POST task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] queueing ISAKMP_NATD task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] activating new tasks > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] activating ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] activating ISAKMP_CERT_PRE > task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] activating MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] activating ISAKMP_CERT_POST > task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] activating ISAKMP_NATD task > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] sending XAuth vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] sending DPD vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] sending FRAGMENTATION vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] sending NAT-T (RFC 3947) vendor > ID > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] sending > draft-ietf-ipsec-nat-t-ike-02\n vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] initiating Main Mode IKE_SA > test_conn[2] to PEER_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] IKE_SA test_conn[2] state > change: CREATED => CONNECTING > May 9 16:56:11 ip-10-18-0-43 charon: 03[CFG] configured proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 03[ENC] generating ID_PROT request 0 [ > SA V V V V V ] > May 9 16:56:11 ip-10-18-0-43 charon: 03[NET] sending packet: from > 10.18.0.43[500] to PEER_EXTERNAL_IP[500] (180 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 03[MGR] checkin IKE_SA test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] IKE_SA test_conn[1] state > change: DELETING => DELETING > May 9 16:56:11 ip-10-18-0-43 charon: 03[MGR] checkin and destroy IKE_SA > test_conn[1] > May 9 16:56:11 ip-10-18-0-43 charon: 03[IKE] IKE_SA test_conn[1] state > change: DELETING => DESTROYING > May 9 16:56:11 ip-10-18-0-43 charon: 03[MGR] check-in and destroy of IKE_SA > successful > May 9 16:56:11 ip-10-18-0-43 charon: 16[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 16[MGR] IKE_SA test_conn[2] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 16[NET] received packet: from > PEER_EXTERNAL_IP[500] to 10.18.0.43[500] (128 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 16[ENC] parsed ID_PROT response 0 [ SA > V V ] > May 9 16:56:11 ip-10-18-0-43 charon: 16[IKE] received > draft-ietf-ipsec-nat-t-ike-02\n vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 16[IKE] received FRAGMENTATION vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 16[CFG] selecting proposal: > May 9 16:56:11 ip-10-18-0-43 charon: 16[CFG] proposal matches > May 9 16:56:11 ip-10-18-0-43 charon: 16[CFG] received proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 16[CFG] configured proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 16[CFG] selected proposal: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 16[IKE] reinitiating already active > tasks > May 9 16:56:11 ip-10-18-0-43 charon: 16[IKE] ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 16[IKE] MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 16[ENC] generating ID_PROT request 0 [ > KE No NAT-D NAT-D ] > May 9 16:56:11 ip-10-18-0-43 charon: 16[NET] sending packet: from > 10.18.0.43[500] to PEER_EXTERNAL_IP[500] (244 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 16[MGR] checkin IKE_SA test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 16[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 02[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 02[MGR] IKE_SA test_conn[2] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 02[NET] received packet: from > PEER_EXTERNAL_IP[500] to 10.18.0.43[500] (304 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 02[ENC] parsed ID_PROT response 0 [ KE > No V V V V NAT-D NAT-D ] > May 9 16:56:11 ip-10-18-0-43 charon: 02[IKE] received Cisco Unity vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 02[IKE] received XAuth vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 02[ENC] received unknown vendor ID: > 92:ff:e0:d3:c3:d2:2d:39:63:a7:e0:94:fc:50:f5:30 > May 9 16:56:11 ip-10-18-0-43 charon: 02[ENC] received unknown vendor ID: > 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:04:07 > May 9 16:56:11 ip-10-18-0-43 charon: 02[IKE] local host is behind NAT, > sending keep alives > May 9 16:56:11 ip-10-18-0-43 charon: 02[IKE] reinitiating already active > tasks > May 9 16:56:11 ip-10-18-0-43 charon: 02[IKE] ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 02[IKE] MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 02[ENC] generating ID_PROT request 0 [ > ID HASH ] > May 9 16:56:11 ip-10-18-0-43 charon: 02[NET] sending packet: from > 10.18.0.43[4500] to PEER_EXTERNAL_IP[4500] (68 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 02[MGR] checkin IKE_SA test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 02[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 01[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 01[MGR] IKE_SA test_conn[2] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 01[NET] received packet: from > PEER_EXTERNAL_IP[4500] to 10.18.0.43[4500] (84 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 01[ENC] parsed ID_PROT response 0 [ ID > HASH V ] > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] received DPD vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] IKE_SA test_conn[2] established > between 10.18.0.43[MY_EXTERNAL_IP]...PEER_EXTERNAL_IP[PEER_EXTERNAL_IP] > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] IKE_SA test_conn[2] state > change: CONNECTING => ESTABLISHED > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] scheduling rekeying in 86199s > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] maximum IKE_SA lifetime 86379s > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] activating new tasks > May 9 16:56:11 ip-10-18-0-43 charon: 01[IKE] activating QUICK_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] configured proposals: > ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] configured proposals: > ESP:3DES_CBC/HMAC_MD5_96/NO_EXT_SEQ > May 9 16:56:11 ip-10-18-0-43 charon: 10[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] proposing traffic selectors for > us: > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] > EXTERNAL_IP_OF_HOST_EXPOSED_TO_GATEWAY/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] proposing traffic selectors for > other: > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_1/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_2/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_3/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_4/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_5/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_6/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_7/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[CFG] EXTERNAL_IP_THEM_8/32 > May 9 16:56:11 ip-10-18-0-43 charon: 01[ENC] generating QUICK_MODE request > 359184547 [ HASH SA No ID ID ] > May 9 16:56:11 ip-10-18-0-43 charon: 01[NET] sending packet: from > 10.18.0.43[4500] to PEER_EXTERNAL_IP[4500] (164 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 01[MGR] checkin IKE_SA test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 01[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 10[MGR] IKE_SA test_conn[2] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 10[NET] received packet: from > PEER_EXTERNAL_IP[4500] to 10.18.0.43[4500] (92 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 10[ENC] parsed INFORMATIONAL_V1 request > 3157575994 [ HASH N((24576)) ] > May 9 16:56:11 ip-10-18-0-43 charon: 10[IKE] received (24576) notify > May 9 16:56:11 ip-10-18-0-43 charon: 10[MGR] checkin IKE_SA test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 10[MGR] check-in of IKE_SA successful. > May 9 16:56:11 ip-10-18-0-43 charon: 04[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 04[MGR] IKE_SA test_conn[2] > successfully checked out > May 9 16:56:11 ip-10-18-0-43 charon: 04[NET] received packet: from > PEER_EXTERNAL_IP[4500] to 10.18.0.43[4500] (84 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 04[ENC] parsed INFORMATIONAL_V1 request > 3652496246 [ HASH D ] > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] received DELETE for IKE_SA > test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] deleting IKE_SA test_conn[2] > between 10.18.0.43[MY_EXTERNAL_IP]...PEER_EXTERNAL_IP[PEER_EXTERNAL_IP] > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] IKE_SA test_conn[2] state > change: ESTABLISHED => DELETING > May 9 16:56:11 ip-10-18-0-43 charon: 04[MGR] created IKE_SA (unnamed)[3] > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] queueing ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] queueing ISAKMP_CERT_PRE task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] queueing MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] queueing ISAKMP_CERT_POST task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] queueing ISAKMP_NATD task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] activating new tasks > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] activating ISAKMP_VENDOR task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] activating ISAKMP_CERT_PRE > task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] activating MAIN_MODE task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] activating ISAKMP_CERT_POST > task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] activating ISAKMP_NATD task > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] sending XAuth vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] sending DPD vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] sending FRAGMENTATION vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] sending NAT-T (RFC 3947) vendor > ID > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] sending > draft-ietf-ipsec-nat-t-ike-02\n vendor ID > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] initiating Main Mode IKE_SA > test_conn[3] to PEER_EXTERNAL_IP > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] IKE_SA test_conn[3] state > change: CREATED => CONNECTING > May 9 16:56:11 ip-10-18-0-43 charon: 04[CFG] configured proposals: > IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 > May 9 16:56:11 ip-10-18-0-43 charon: 04[ENC] generating ID_PROT request 0 [ > SA V V V V V ] > May 9 16:56:11 ip-10-18-0-43 charon: 04[NET] sending packet: from > 10.18.0.43[500] to PEER_EXTERNAL_IP[500] (180 bytes) > May 9 16:56:11 ip-10-18-0-43 charon: 04[MGR] checkin IKE_SA test_conn[3] > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] IKE_SA test_conn[2] state > change: DELETING => DELETING > May 9 16:56:11 ip-10-18-0-43 charon: 04[MGR] checkin and destroy IKE_SA > test_conn[2] > May 9 16:56:11 ip-10-18-0-43 charon: 04[IKE] IKE_SA test_conn[2] state > change: DELETING => DESTROYING > May 9 16:56:11 ip-10-18-0-43 charon: 04[MGR] check-in and destroy of IKE_SA > successful > May 9 16:56:11 ip-10-18-0-43 charon: 11[MGR] checkout IKE_SA by message > May 9 16:56:11 ip-10-18-0-43 charon: 11[MGR] IKE_SA test_conn[3] > successfully checked out > > > > On May 8, 2014, at 11:37 PM, Martin Willi <[email protected]> wrote: > >> Ted, >> >>> I am struggling to successfully connect to a Cisco VPN 3000 >>> Concentrator >> >>> leftsubnet=xx.xx.xx.238/32,xx.xx.xx.255/32 >>> leftsourceip=%config >> >> Is it your intention to request a virtual IP, even if you are doing >> net-to-net tunneling? Usually virtual IPs are used by road-warriors, >> clients that should be integrated to the local network. >> >>> modeconfig=push >> >> Please be aware that push mode has not been supported until 5.1.1. >> >>> The security association is established however the connection doesn’t >>> appear to get fully established, getting stuck on QUICK_MODE. >> >> A log output would certainly help to see what is going on and why the >> Quick Mode doesn't proceed. >> >> Regards >> Martin >> > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
