[strongSwan] Tunnel stuck in QUICK_MODE active task

Izz Abdullah izz.abdullah at wepanow.com
Thu Nov 14 16:25:01 CET 2013 

Hello everyone:
I have recently setup a config for both our peer on a PIX as well as the config within strongSwan.  I had to dance around our customer's previous config of the PIX before I could understand and attempt writing the configuration so that the NAT is done correctly.
I have finally had them apply the config to their PIX and I have configured our side of the tunnel with strongSwan 5.1.1dr4 (I installed this release prior to the official release of 5.1.1 to test out the patch for the CHILD_SA re-negotiation deleting the tunnel altogether [issue 317 if I am not mistaken]).

Here is the config I had them apply on the PIX:

isakmp policy 35 authentication pre-share
isamkp policy 35 encryption 3des
isamkp policy 35 hash md5
isakmp policy 35 group 2
isamkp policy 35 lifetime 86400

isakmp key 0UR-PSKH3R3 address 54.208.x.y netmask 255.255.255.255

access-list vpn_to_wepa_dr permit ip 172.20.2.0 255.255.255.0 192.168.188.0 255.255.252.0
access-list inside_pnat_wepa_dr permit ip 10.2.1.0 255.255.255.0 192.168.188.0 255.255.252.0
access-list inside_nat0_outbound permit ip 172.20.2.0 255.255.255.0 192.168.188.0 255.255.252.0

crypto map outside_map 35 ipsec-isakmp
crypto map outside_map 35 match address vpn_to_wepa_dr
crypto map outside_map 35 set peer 54.208.x.y
crypto map outside_map 35 set transform-set ESP-3DES-MD5

static (inside,outside) 172.20.2.0 access-list inside_pnat_wepa_dr


And the strongSwan side which I control in AWS:
conn school-tunnel04
        type=tunnel
        auto=start
        keyexchange=ikev1
        ikelifetime=12h
        lifetime=11h
        margintime=1h
        rekeyfuzz=100%
        authby=secret
        auth=esp
        ike=3des-md5-modp1024!
        esp=3des-md5!
        left=10.201.50.70
        leftid=wepa
        leftsubnet=192.168.188.0/22
        leftfirewall=yes
        right=W.X.Y.Z
        rightid=W.X.Y.Z
        rightsubnet=172.20.2.0/24

where W.X.Y.Z is their public IP address in the strongSwan ipsec.conf file and 54.208.x.y is our full public IP of the strongSwan box in AWS.

Now, the tunnel is stuck in the following with ipsec statusall:
school-tunnel04[12]: ESTABLISHED 83 seconds ago, 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]
school-tunnel04[12]: IKEv1 SPIs: 382ed50ff688b46f_i* 51a5b24472d03430_r, pre-shared key reauthentication in 10 hours
school-tunnel04[12]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
school-tunnel04[12]: Tasks active: QUICK_MODE

All other tunnels are installed and routed.  I have a deep feeling it is because I am trying to accomplish the left-side NAT within the strongSwan config.  Can someone please assist?
Please realize we have 4 other tunnels in strongSwan configuration and I need the NAT to only apply for this single connection on our side.

Thanks,
Izz

Izz Abdullah
Senior Systems Engineer
www.wepanow.com<http://www.wepanow.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/f52809e3/attachment.html>

More information about the Users mailing list