[strongSwan] Tunnel stuck in QUICK_MODE queued task
Izz Abdullah
izz.abdullah at wepanow.com
Wed Nov 20 15:37:48 CET 2013
Any ideas? I made the changes as requested to the ipsec.conf for this particular connection by adding:
leftsourceip=%config
modeconfig=push
and that has changed the state a little, as shown below, but not it is just queuing QUICK_MODE and never completely establishes the tunnel.
Thanks again...
Izz Abdullah
Senior Systems Engineer
www.wepanow.com<http://www.wepanow.com>
________________________________
From: Izz Abdullah <izz.abdullah at wepanow.com><mailto:izz.abdullah at wepanow.com>
Sent: Friday, November 15, 2013 08:42
To: users at lists.strongswan.org<mailto:users at lists.strongswan.org> <users at lists.strongswan.org><mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Tunnel stuck in QUICK_MODE active task
That made a difference. The tunnel is staying up, but after Phase1, it appears it never reaches phase2 now. Here are the logs now:
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[ENC] parsed ID_PROT response 0 [ ID HASH ]
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[IKE] IKE_SA school-tunnel04[5] established between 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[IKE] scheduling reauthentication in 37753s
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[IKE] maximum IKE_SA lifetime 41353s
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (84 bytes)
Nov 15 08:32:40 vpc2-ipsec-1-121 charon: 09[ENC] parsed INFORMATIONAL_V1 request 2078815867 [ HASH N(INITIAL_CONTACT) ]
I may be wrong in my terminology of reaching phase 2, it is in ENC log where strongSwan parses out an INITIAL_CONTACT message from the PIX. Anyway, this is it. After this, only keep alives are sent back and forth. The tunnel never fully establishes and ipsec statusall has QUICK_MODE as queued:
school-tunnel04[5]: ESTABLISHED 4 minutes ago, 10.201.50.70[wepa]...W.X.Y.Z[W.X.Y.Z]
school-tunnel04[5]: IKEv1 SPIs: c3bb079f944f4a7d_i* b92d2bd072d03430_r, pre-shared key reauthentication in 10 hours
school-tunnel04[5]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
school-tunnel04[5]: Tasks queued: QUICK_MODE
I can bring the tunnel down with ipsec down school-tunnel04 now, instead of that queuing like before, but still no tunnel. I apologize for the n00b questions, but appreciate your assistance. I can't change the configuration of the PIX. It is one of our customers, and they have probably 20 VPNs and a lot of routing and NAT'ing within it. We have another VPN connection to them from our primary datacenter, but it is a PIX on this end. Since we are setting up our DR in Amazon AWS, I have opted to use strongSwan for all of our tunnels. For our other tunnels, I've very little issue and no issue to this affect in setting up the tunnel.
Thanks again,
Izz
Izz Abdullah
Senior Systems Engineer
www.wepanow.com<http://www.wepanow.com>
[cid:part1.04000301.05050706 at wepanow.com]
________________________________
From: Izz Abdullah <izz.abdullah at wepanow.com><mailto:izz.abdullah at wepanow.com>
Sent: Friday, November 15, 2013 06:25
To: Martin Willi <martin at strongswan.org><mailto:martin at strongswan.org>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org> <users at lists.strongswan.org><mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Tunnel stuck in QUICK_MODE active task
Thanks for your reply Martin. I'll try this as soon as I reach the office and report back.
--
Izz
Sent using Android™
-------- Original message --------
From: Martin Willi <martin at strongswan.org><mailto:martin at strongswan.org>
Date: 11/15/2013 3:08 AM (GMT-06:00)
To: Izz Abdullah <izz.abdullah at wepanow.com><mailto:izz.abdullah at wepanow.com>
Cc: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Tunnel stuck in QUICK_MODE active task
Hi,
> 03[ENC] generating QUICK_MODE request 1871762211 [ HASH SA No ID ID ]
> 03[NET] sending packet: from 10.201.50.70[4500] to W.X.Y.Z[4500] (172 bytes)
> 14[NET] received packet: from W.X.Y.Z[4500] to 10.201.50.70[4500] (76 bytes)
> 14[IKE] queueing TRANSACTION request as tasks still active
The strongSwan initiator creates a Quick Mode, but the PIX does not
expect that. Instead, it seems that it wants to do a Mode Config
exchange in Push Mode first. Mode Config TRANSACTION exchanges always
have to complete before you can create any Quick Modes, hence the
configurations have to match on both sides.
We have support for push mode starting with 5.1.1. If you want to use a
Mode Config exchange (i.e. assign a virtual IP to the initiator), you
may try to set:
leftsourceip=%config
modeconfig=push
If you don't need any Mode Config, you may try to disable that on the
PIX.
Regards
Martin
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131120/1c026f18/attachment.html>
More information about the Users
mailing list