[strongSwan] Tunnel stuck in QUICK_MODE active task

Izz Abdullah izz.abdullah at wepanow.com
Thu Nov 14 19:02:27 CET 2013


And here is the log as the tunnel is started to be brought up.  I set loglevel = 2 from command line:

Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[IKE] IKE_SA school-tunnel04[3] established between 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[IKE] scheduling reauthentication in 37864s
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[IKE] maximum IKE_SA lifetime 41464s
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[ENC] generating QUICK_MODE request 1871762211 [ HASH SA No ID ID ]
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 03[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 14[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)
Nov 14 11:57:27 vpc2-ipsec-1-121 charon: 14[IKE] queueing TRANSACTION request as tasks still active
Nov 14 11:57:31 vpc2-ipsec-1-121 charon: 15[IKE] sending retransmit 1 of request message ID 1871762211, seq 4
Nov 14 11:57:31 vpc2-ipsec-1-121 charon: 15[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)
Nov 14 11:57:32 vpc2-ipsec-1-121 charon: 02[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)
Nov 14 11:57:32 vpc2-ipsec-1-121 charon: 02[IKE] ignoring additional TRANSACTION request, queue full


I would truly appreciate any pointers on why it is stuck in phase 2 in QUICK_MODE.  I tried to 'ipsec down school-tunnel04' and that was just queued, it wouldn't bring the tunnel down, I had to initiate a full ipsec restart.

Izz Abdullah
Senior Systems Engineer
Izz.Abdullah at wepanow.com<mailto:izz.abdullah at wepanow.com>
205.605.6039 Office
800.675.7639 Toll Free
www.wepanow.com<http://www.wepanow.com>

[cid:part2.02090004.08030600 at wepanow.com]


________________________________

From: Izz Abdullah <izz.abdullah at wepanow.com><mailto:izz.abdullah at wepanow.com>
Sent: Thursday, November 14, 2013 09:25
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org> <users at lists.strongswan.org><mailto:users at lists.strongswan.org>
Subject: [strongSwan] Tunnel stuck in QUICK_MODE active task

Hello everyone:
I have recently setup a config for both our peer on a PIX as well as the config within strongSwan.  I had to dance around our customer's previous config of the PIX before I could understand and attempt writing the configuration so that the NAT is done correctly.
I have finally had them apply the config to their PIX and I have configured our side of the tunnel with strongSwan 5.1.1dr4 (I installed this release prior to the official release of 5.1.1 to test out the patch for the CHILD_SA re-negotiation deleting the tunnel altogether [issue 317 if I am not mistaken]).

Here is the config I had them apply on the PIX:

isakmp policy 35 authentication pre-share
isamkp policy 35 encryption 3des
isamkp policy 35 hash md5
isakmp policy 35 group 2
isamkp policy 35 lifetime 86400

isakmp key 0UR-PSKH3R3 address 54.208.x.y netmask 255.255.255.255

access-list vpn_to_wepa_dr permit ip 172.20.2.0 255.255.255.0 192.168.188.0 255.255.252.0
access-list inside_pnat_wepa_dr permit ip 10.2.1.0 255.255.255.0 192.168.188.0 255.255.252.0
access-list inside_nat0_outbound permit ip 172.20.2.0 255.255.255.0 192.168.188.0 255.255.252.0

crypto map outside_map 35 ipsec-isakmp
crypto map outside_map 35 match address vpn_to_wepa_dr
crypto map outside_map 35 set peer 54.208.x.y
crypto map outside_map 35 set transform-set ESP-3DES-MD5

static (inside,outside) 172.20.2.0 access-list inside_pnat_wepa_dr


And the strongSwan side which I control in AWS:
conn school-tunnel04
        type=tunnel
        auto=start
        keyexchange=ikev1
        ikelifetime=12h
        lifetime=11h
        margintime=1h
        rekeyfuzz=100%
        authby=secret
        auth=esp
        ike=3des-md5-modp1024!
        esp=3des-md5!
        left=10.201.50.70
        leftid=wepa
        leftsubnet=192.168.188.0/22
        leftfirewall=yes
        right=W.X.Y.Z
        rightid=W.X.Y.Z
        rightsubnet=172.20.2.0/24

where W.X.Y.Z is their public IP address in the strongSwan ipsec.conf file and 54.208.x.y is our full public IP of the strongSwan box in AWS.

Now, the tunnel is stuck in the following with ipsec statusall:
school-tunnel04[12]: ESTABLISHED 83 seconds ago, 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]
school-tunnel04[12]: IKEv1 SPIs: 382ed50ff688b46f_i* 51a5b24472d03430_r, pre-shared key reauthentication in 10 hours
school-tunnel04[12]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
school-tunnel04[12]: Tasks active: QUICK_MODE

All other tunnels are installed and routed.  I have a deep feeling it is because I am trying to accomplish the left-side NAT within the strongSwan config.  Can someone please assist?
Please realize we have 4 other tunnels in strongSwan configuration and I need the NAT to only apply for this single connection on our side.

Thanks,
Izz

Izz Abdullah
Senior Systems Engineer
www.wepanow.com<http://www.wepanow.com>





_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/d394447a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: wepa_logo.png
Type: image/png
Size: 3158 bytes
Desc: wepa_logo.png
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131114/d394447a/attachment.png>


More information about the Users mailing list