<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body smarttemplateinserted="true" bgcolor="#FFFFFF" text="#000000">
<div id="smartTemplate4-template">And here is the log as the tunnel is started to be brought up. I set loglevel = 2 from command line:<br>
<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[IKE] IKE_SA school-tunnel04[3] established between 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[IKE] scheduling reauthentication in 37864s<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[IKE] maximum IKE_SA lifetime 41464s<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[ENC] generating QUICK_MODE request 1871762211 [ HASH SA No ID ID ]<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 14[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)<br>
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 14[IKE] queueing TRANSACTION request as tasks still active<br>
Nov 14 11:57:31 vpc2-ipsec-1-121 charon: 15[IKE] sending retransmit 1 of request message ID 1871762211, seq 4<br>
Nov 14 11:57:31 vpc2-ipsec-1-121 charon: 15[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)<br>
Nov 14 11:57:32 vpc2-ipsec-1-121 charon: 02[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)<br>
Nov 14 11:57:32 vpc2-ipsec-1-121 charon: 02[IKE] ignoring additional TRANSACTION request, queue full<br>
<br>
<br>
I would truly appreciate any pointers on why it is stuck in phase 2 in QUICK_MODE. I tried to 'ipsec down school-tunnel04' and that was just queued, it wouldn't bring the tunnel down, I had to initiate a full ipsec restart.<br>
<br>
<b>Izz Abdullah</b><br>
<i>Senior Systems Engineer</i><br>
<a href="mailto:izz.abdullah@wepanow.com">Izz.Abdullah@wepanow.com</a><br>
205.605.6039 Office<br>
800.675.7639 Toll Free<br>
<a class="moz-txt-link-abbreviated" href="http://www.wepanow.com">www.wepanow.com</a><br>
<div style="line-height:50%"> </div>
<img alt="" src="cid:part2.02090004.08030600@wepanow.com" <br=""><br>
</div>
<br>
<div id="smartTemplate4-quoteHeader">
<hr>
<br>
<b>From:</b> Izz Abdullah <a class="moz-txt-link-rfc2396E" href="mailto:izz.abdullah@wepanow.com">
<izz.abdullah@wepanow.com></a><br>
<b>Sent:</b> Thursday, November 14, 2013 09:25<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a> <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.strongswan.org">
<users@lists.strongswan.org></a><br>
<b>Subject: </b>[strongSwan] Tunnel stuck in QUICK_MODE active task<br>
<br>
</div>
<div id="smartTemplate4-template">Hello everyone:<br>
I have recently setup a config for both our peer on a PIX as well as the config within strongSwan. I had to dance around our customer's previous config of the PIX before I could understand and attempt writing the configuration so that the NAT is done correctly.<br>
I have finally had them apply the config to their PIX and I have configured our side of the tunnel with strongSwan 5.1.1dr4 (I installed this release prior to the official release of 5.1.1 to test out the patch for the CHILD_SA re-negotiation deleting the tunnel
altogether [issue 317 if I am not mistaken]).<br>
<br>
Here is the config I had them apply on the PIX:<br>
<br>
isakmp policy 35 authentication pre-share<br>
isamkp policy 35 encryption 3des<br>
isamkp policy 35 hash md5<br>
isakmp policy 35 group 2<br>
isamkp policy 35 lifetime 86400<br>
<br>
isakmp key 0UR-PSKH3R3 address 54.208.x.y netmask 255.255.255.255<br>
<br>
access-list vpn_to_wepa_dr permit ip 172.20.2.0 255.255.255.0 192.168.188.0 255.255.252.0<br>
access-list inside_pnat_wepa_dr permit ip 10.2.1.0 255.255.255.0 192.168.188.0 255.255.252.0<br>
access-list inside_nat0_outbound permit ip 172.20.2.0 255.255.255.0 192.168.188.0 255.255.252.0
<br>
<br>
crypto map outside_map 35 ipsec-isakmp<br>
crypto map outside_map 35 match address vpn_to_wepa_dr<br>
crypto map outside_map 35 set peer 54.208.x.y<br>
crypto map outside_map 35 set transform-set ESP-3DES-MD5<br>
<br>
static (inside,outside) 172.20.2.0 access-list inside_pnat_wepa_dr<br>
<br>
<br>
And the strongSwan side which I control in AWS:<br>
conn school-tunnel04<br>
type=tunnel<br>
auto=start<br>
keyexchange=ikev1<br>
ikelifetime=12h<br>
lifetime=11h<br>
margintime=1h<br>
rekeyfuzz=100%<br>
authby=secret<br>
auth=esp<br>
ike=3des-md5-modp1024!<br>
esp=3des-md5!<br>
left=10.201.50.70<br>
leftid=wepa<br>
leftsubnet=192.168.188.0/22<br>
leftfirewall=yes<br>
right=W.X.Y.Z<br>
rightid=W.X.Y.Z<br>
rightsubnet=172.20.2.0/24<br>
<br>
where W.X.Y.Z is their public IP address in the strongSwan ipsec.conf file and 54.208.x.y is our full public IP of the strongSwan box in AWS.<br>
<br>
Now, the tunnel is stuck in the following with ipsec statusall:<br>
school-tunnel04[12]: ESTABLISHED 83 seconds ago, 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]<br>
school-tunnel04[12]: IKEv1 SPIs: 382ed50ff688b46f_i* 51a5b24472d03430_r, pre-shared key reauthentication in 10 hours<br>
school-tunnel04[12]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024<br>
school-tunnel04[12]: Tasks active: QUICK_MODE <br>
<br>
All other tunnels are installed and routed. I have a deep feeling it is because I am trying to accomplish the left-side NAT within the strongSwan config. Can someone please assist?<br>
Please realize we have 4 other tunnels in strongSwan configuration and I need the NAT to only apply for this single connection on our side.<br>
<br>
Thanks,<br>
Izz<br>
<br>
<b>Izz Abdullah</b><br>
<i>Senior Systems Engineer</i><br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.wepanow.com">www.wepanow.com</a><br>
<div style="line-height:50%"> <br>
</div>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
<br>
</body>
</html>