[strongSwan] strongswan <-> juniper tunnel
Axel Zöllich
a.zoellich at kirsch.zoellich.de
Tue Oct 22 23:18:50 CEST 2013
I've got a problem with one of several ipsec tunnels. The others are running
stable and inconspicuously.
strongswan 5.1.0-2
SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux
conn %default
ikelifetime=120m
keylife=100m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=secret
dpdaction=restart
conn dorn
ikelifetime=28800
keylife=3600
esp=3des-sha1-modp1024
ikp=3des-sha1-modp1024
left=aaa.bbb.162.192
leftsubnet=192.168.222.0/24
leftid=ccc.ddd.70.155
leftfirewall=no
right=ccc.ddd.70.155
rightsubnet=192.168.170.0/24
rightid=ccc.ddd.70.155
compress=no
auto=start
root at router-pikt-1:~# ipsec statusall | grep dorn
dorn: aaa.bbb.162.192...ccc.ddd.70.155 IKEv1, dpddelay=30s
dorn: local: [ccc.ddd.70.155] uses pre-shared key authentication
dorn: remote: [ccc.ddd.70.155] uses pre-shared key authentication
dorn: child: 192.168.222.0/24 === 192.168.170.0/24 TUNNEL,
dpdaction=restart
dorn[49]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[49]: IKEv1 SPIs: 56567bbc062d373f_i* 0000000000000000_r
dorn[49]: Tasks queued: QUICK_MODE
dorn[49]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[47]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[47]: IKEv1 SPIs: aeae021b489ddcf2_i* 0000000000000000_r
dorn[47]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[45]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[45]: IKEv1 SPIs: 0c2a8a1a87fbf6d2_i* 0000000000000000_r
dorn[45]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[43]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[43]: IKEv1 SPIs: d598da1824b7d113_i* 0000000000000000_r
dorn[43]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[41]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[41]: IKEv1 SPIs: 3e13afc809b37d05_i* 0000000000000000_r
dorn[41]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[39]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[39]: IKEv1 SPIs: 5d23a9f2079be215_i* 0000000000000000_r
dorn[39]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[37]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[37]: IKEv1 SPIs: a9b68224e4174283_i* 0000000000000000_r
dorn[37]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[35]: CONNECTING, aaa.bbb.162.192[%any]...ccc.ddd.70.155[%any]
dorn[35]: IKEv1 SPIs: f49ea3fc64414b94_i* 0000000000000000_r
dorn[35]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
dorn[18]: ESTABLISHED 6 hours ago,
aaa.bbb.162.192[ccc.ddd.70.155]...ccc.ddd.70.155[ccc.ddd.70.155]
dorn[18]: IKEv1 SPIs: 9e109d13e60e3317_i 73d0a9b23f2dc627_r*, pre-
shared key reauthentication in 109 minutes
dorn[18]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
The tunnel isn't reaching the INSTALLED state but ipsec opens up more and more
CONNECTING instances.
Where should I look for this?
In charon log (ike=2) this looks like this:
Oct 22 23:11:54 06[IKE] initiating Main Mode IKE_SA dorn[35] to ccc.ddd.70.155
Oct 22 23:11:54 08[IKE] initiating Main Mode IKE_SA dorn[45] to ccc.ddd.70.155
Oct 22 23:11:54 06[IKE] IKE_SA dorn[35] state change: CREATED => CONNECTING
Oct 22 23:11:54 13[IKE] initiating Main Mode IKE_SA dorn[37] to ccc.ddd.70.155
Oct 22 23:11:54 13[IKE] IKE_SA dorn[37] state change: CREATED => CONNECTING
Oct 22 23:11:54 08[IKE] IKE_SA dorn[45] state change: CREATED => CONNECTING
Oct 22 23:11:54 07[IKE] initiating Main Mode IKE_SA dorn[43] to ccc.ddd.70.155
Oct 22 23:11:54 07[IKE] IKE_SA dorn[43] state change: CREATED => CONNECTING
Oct 22 23:14:39 05[IKE] IKE_SA dorn[47] state change: CONNECTING => CREATED
Oct 22 23:14:39 09[IKE] IKE_SA dorn[41] state change: CONNECTING => CREATED
Oct 22 23:14:39 12[IKE] IKE_SA dorn[39] state change: CONNECTING => CREATED
Oct 22 23:14:39 15[IKE] IKE_SA dorn[49] state change: CONNECTING => CREATED
Oct 22 23:14:39 12[IKE] initiating Main Mode IKE_SA dorn[39] to ccc.ddd.70.155
Oct 22 23:14:39 12[IKE] IKE_SA dorn[39] state change: CREATED => CONNECTING
Oct 22 23:14:39 09[IKE] initiating Main Mode IKE_SA dorn[41] to ccc.ddd.70.155
Oct 22 23:14:39 09[IKE] IKE_SA dorn[41] state change: CREATED => CONNECTING
Oct 22 23:14:39 05[IKE] initiating Main Mode IKE_SA dorn[47] to ccc.ddd.70.155
Oct 22 23:14:39 05[IKE] IKE_SA dorn[47] state change: CREATED => CONNECTING
Oct 22 23:14:39 15[IKE] initiating Main Mode IKE_SA dorn[49] to ccc.ddd.70.155
Oct 22 23:14:39 15[IKE] IKE_SA dorn[49] state change: CREATED => CONNECTING
Oct 22 23:14:39 04[IKE] IKE_SA dorn[35] state change: CONNECTING => CREATED
Oct 22 23:14:39 08[IKE] IKE_SA dorn[45] state change: CONNECTING => CREATED
Oct 22 23:14:39 11[IKE] IKE_SA dorn[37] state change: CONNECTING => CREATED
Oct 22 23:14:39 10[IKE] IKE_SA dorn[43] state change: CONNECTING => CREATED
Oct 22 23:14:39 11[IKE] initiating Main Mode IKE_SA dorn[37] to ccc.ddd.70.155
Oct 22 23:14:39 11[IKE] IKE_SA dorn[37] state change: CREATED => CONNECTING
Oct 22 23:14:39 10[IKE] initiating Main Mode IKE_SA dorn[43] to ccc.ddd.70.155
Oct 22 23:14:39 10[IKE] IKE_SA dorn[43] state change: CREATED => CONNECTING
Oct 22 23:14:39 04[IKE] initiating Main Mode IKE_SA dorn[35] to ccc.ddd.70.155
Oct 22 23:14:39 04[IKE] IKE_SA dorn[35] state change: CREATED => CONNECTING
Oct 22 23:14:39 08[IKE] initiating Main Mode IKE_SA dorn[45] to ccc.ddd.70.155
Oct 22 23:14:39 08[IKE] IKE_SA dorn[45] state change: CREATED => CONNECTING
Axel
More information about the Users
mailing list