<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body smarttemplateinserted="true" bgcolor="#FFFFFF" text="#000000">
<div id="smartTemplate4-template">Any ideas? I made the changes as requested to the ipsec.conf for this particular connection by adding:<br>
leftsourceip=%config<br>
modeconfig=push<br>
<br>
and that has changed the state a little, as shown below, but not it is just queuing QUICK_MODE and never completely establishes the tunnel.<br>
<br>
Thanks again...<br>
<br>
<b>Izz Abdullah</b><br>
<i>Senior Systems Engineer</i><br>
<a class="moz-txt-link-abbreviated" href="http://www.wepanow.com">www.wepanow.com</a><br>
<div style="line-height:50%"> </div>
<br>
</div>
<br>
<div id="smartTemplate4-quoteHeader">
<hr>
<br>
<b>From:</b> Izz Abdullah <a class="moz-txt-link-rfc2396E" href="mailto:izz.abdullah@wepanow.com">
<izz.abdullah@wepanow.com></a><br>
<b>Sent:</b> Friday, November 15, 2013 08:42<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a> <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.strongswan.org">
<users@lists.strongswan.org></a><br>
<b>Subject: </b>Re: [strongSwan] Tunnel stuck in QUICK_MODE active task<br>
<br>
</div>
<blockquote cite="mid:DDC89076AFD9CE4CAF815050B6FC67BD9C4F4A@ORD2MBX09B.mex05.mlsrvr.com" type="cite">
<div id="smartTemplate4-template">That made a difference. The tunnel is staying up, but after Phase1, it appears it never reaches phase2 now. Here are the logs now:<br>
<br>
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[ENC] parsed ID_PROT response 0 [ ID HASH ]<br>
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[IKE] IKE_SA school-tunnel04[5] established between 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]<br>
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[IKE] scheduling reauthentication in 37753s<br>
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[IKE] maximum IKE_SA lifetime 41353s<br>
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (84 bytes)<br>
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2078815867 [ HASH N(INITIAL_CONTACT) ]<br>
<br>
I may be wrong in my terminology of reaching phase 2, it is in ENC log where strongSwan parses out an INITIAL_CONTACT message from the PIX. Anyway, this is it. After this, only keep alives are sent back and forth. The tunnel never fully establishes and ipsec
statusall has QUICK_MODE as queued:<br>
<br>
school-tunnel04[5]: ESTABLISHED 4 minutes ago, 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]<br>
school-tunnel04[5]: IKEv1 SPIs: c3bb079f944f4a7d_i* b92d2bd072d03430_r, pre-shared key reauthentication in 10 hours<br>
school-tunnel04[5]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024<br>
school-tunnel04[5]: Tasks queued: QUICK_MODE <br>
<br>
<br>
I can bring the tunnel down with ipsec down school-tunnel04 now, instead of that queuing like before, but still no tunnel. I apologize for the n00b questions, but appreciate your assistance. I can't change the configuration of the PIX. It is one of our customers,
and they have probably 20 VPNs and a lot of routing and NAT'ing within it. We have another VPN connection to them from our primary datacenter, but it is a PIX on this end. Since we are setting up our DR in Amazon AWS, I have opted to use strongSwan for all
of our tunnels. For our other tunnels, I've very little issue and no issue to this affect in setting up the tunnel.<br>
<br>
Thanks again,<br>
Izz<br>
<br>
<b>Izz Abdullah</b><br>
<i>Senior Systems Engineer</i><br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="http://www.wepanow.com">www.wepanow.com</a><br>
<div style="line-height:50%"> </div>
<img moz-do-not-send="true" alt="" src="cid:part1.04000301.05050706@wepanow.com" <br=""><br>
</div>
<br>
<div id="smartTemplate4-quoteHeader">
<hr>
<br>
<b>From:</b> Izz Abdullah <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:izz.abdullah@wepanow.com">
<izz.abdullah@wepanow.com></a><br>
<b>Sent:</b> Friday, November 15, 2013 06:25<br>
<b>To:</b> Martin Willi <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:martin@strongswan.org">
<martin@strongswan.org></a><br>
<b>Cc:</b> <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a> <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:users@lists.strongswan.org">
<users@lists.strongswan.org></a><br>
<b>Subject: </b>Re: [strongSwan] Tunnel stuck in QUICK_MODE active task<br>
<br>
</div>
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
<div>
<div>Thanks for your reply Martin. I'll try this as soon as I reach the office and report back.</div>
<div><br>
</div>
<div><br>
</div>
--
<div><b><i>Izz</i></b></div>
<div><i>Sent using Android™</i></div>
<br>
<br>
<br>
-------- Original message --------<br>
From: Martin Willi <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:martin@strongswan.org">
<martin@strongswan.org></a> <br>
Date: 11/15/2013 3:08 AM (GMT-06:00) <br>
To: Izz Abdullah <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:izz.abdullah@wepanow.com">
<izz.abdullah@wepanow.com></a> <br>
Cc: <a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a> <br>
Subject: Re: [strongSwan] Tunnel stuck in QUICK_MODE active task <br>
<br>
<br>
</div>
<font size="2"><span style="font-size:10pt;">
<div class="PlainText">Hi,<br>
<br>
> 03[ENC] generating QUICK_MODE request 1871762211 [ HASH SA No ID ID ]<br>
> 03[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)<br>
<br>
> 14[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)<br>
> 14[IKE] queueing TRANSACTION request as tasks still active<br>
<br>
The strongSwan initiator creates a Quick Mode, but the PIX does not<br>
expect that. Instead, it seems that it wants to do a Mode Config<br>
exchange in Push Mode first. Mode Config TRANSACTION exchanges always<br>
have to complete before you can create any Quick Modes, hence the<br>
configurations have to match on both sides.<br>
<br>
We have support for push mode starting with 5.1.1. If you want to use a<br>
Mode Config exchange (i.e. assign a virtual IP to the initiator), you<br>
may try to set:<br>
<br>
leftsourceip=%config<br>
modeconfig=push<br>
<br>
If you don't need any Mode Config, you may try to disable that on the<br>
PIX.<br>
<br>
Regards<br>
Martin<br>
<br>
</div>
</span></font><br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset> <br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>