[strongSwan] Site-Site VPN issues with Cisco Devices

Tormod Macleod TMacleod at paywizard.com
Thu Aug 7 18:11:09 CEST 2014


Thanks Martin,
 
I downloaded 5.2.0 and patched it. I've moved on from that error but it's still not working. It looks like the linux box thinks the connection is up and I can see packets from it to the router but for some reason the router isn't responding. I'm stumped.
 
A0089-Mint1 sbin # ./ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.0, Linux 3.13.0-24-generic, x86_64):
  uptime: 12 minutes, since Aug 07 16:52:32 2014
  malloc: sbrk 1351680, mmap 0, used 253760, free 1097920
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic unity
Listening IP addresses:
  192.168.0.1
  10.1.0.1
Connections:
strongswan-router:  192.168.0.1...192.168.1.1  IKEv1
strongswan-router:   local:  [192.168.0.1] uses pre-shared key authentication
strongswan-router:   remote: [192.168.1.1] uses pre-shared key authentication
strongswan-router:   child:  10.1.0.0/24 === 10.2.0.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
strongswan-router[1]: ESTABLISHED 12 minutes ago, 192.168.0.1[192.168.0.1]...192.168.1.1[192.168.1.1]
strongswan-router[1]: IKEv1 SPIs: b554a84868aed5bd_i* 831939ece7b34833_r, pre-shared key reauthentication in 42 minutes
strongswan-router[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
strongswan-router{1}:  INSTALLED, TUNNEL, ESP SPIs: c77b0968_i 1deaf0e1_o
strongswan-router{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 10488 bytes_o (114 pkts, 412s ago), rekeying in 117 seconds
strongswan-router{1}:   10.1.0.0/24 === 10.2.0.0/24 
 
 
 
R2#debug crypto ipsec
Crypto IPSEC debugging is on
R2#
*Mar  1 02:03:29.535: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 02:03:29.539: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
*Mar  1 02:03:29.543: IPSEC(key_engine_delete_sas): delete SA with spi 0xC1A5C3C1 proto 50 for 192.168.0.1
*Mar  1 02:03:29.543: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.1.1, sa_proto= 50,
    sa_spi= 0xDDC145(14532933),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2003
    sa_lifetime(k/sec)= (4591396/1200),
  (identity) local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4)
*Mar  1 02:03:29.547: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
  (sa) sa_dest= 192.168.0.1, sa_proto= 50,
    sa_spi= 0xC1A5C3C1(3248866241),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2004
    sa_lifetime(k/sec)= (4591396/1200),
  (identity) local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4)
*Mar  1 02:03:29.547: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 192.168.0.1, sa_proto= 50,
    sa_spi= 0xC1A5C3C1(3248866241),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2004
    sa_lifetime(k/sec)= (4591396/1200),
  (identity) local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4)
*Mar  1 02:03:29.547: IPSec: Flow_switching Deallocated flow for sibling 80000010
*Mar  1 02:03:29.567: IPSEC(key_engine): got a queue event with 1 kei messages
R2#
R2#
*Mar  1 02:03:32.811: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x2
*Mar  1 02:03:32.823: Crypto mapdb : proxy_match
	    src addr     : 10.2.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 02:03:32.831: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 02:03:32.831: IPSEC(spi_response): getting spi 3215584645 for SA
	    from 192.168.1.1 to 192.168.0.1 for prot 3
*Mar  1 02:03:32.843: IPSEC(key_engine): got a queue event with 2 kei messages
*Mar  1 02:03:32.847: IPSEC(initialize_sas): ,
  (key eng. msg.) INBOUND local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 10.2.0.0/255.255.255.0
R2#/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 1200s and 0kb,
    spi= 0xBFA9ED85(3215584645), conn_id= 0, keysize= 128, flags= 0x2
*Mar  1 02:03:32.851: IPSEC(initialize_sas): ,
  (key eng. msg.) OUTBOUND local= 192.168.1.1, remote= 192.168.0.1,
    local_proxy= 10.2.0.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.1.0.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 1200s and 0kb,
    spi= 0xC20F459B(3255780763), conn_id= 0, keysize= 128, flags= 0xA
*Mar  1 02:03:32.851: Crypto mapdb : proxy_match
	    src addr     : 10.2.0.0
	    dst addr     : 10.1.0.0
	    protocol     : 0
	    src port     : 0
	    dst port     : 0
*Mar  1 02:03:32.851: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 192.168.0.1
*Mar  1 02:03:32.855: IPSec: Flow_switching Allocated flow for sibling 80000011
*Mar  1 02:03:32.855: IPSEC(policy_db_add_ident): src 10.2.0.0, dest 10.1.0.0, dest_port 0
 
*Mar  1 02:03:32.855: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.1.1, sa_proto= 50,
    sa_spi= 0xBFA9ED85(3215584645),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2004
    sa_lifetime(k/sec)= (4432709/1200)
*Mar  1 02:03:32.855: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.0.1, sa_proto= 50,
    sa_spi= 0xC20F459B(3255780763),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2003
    sa_lifetime(k/sec)= (4432709/1200)
*Mar  1 02:03:32.887: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 02:03:32.891: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar  1 02:03:32.895: IPSEC(key_engine_enable_outbound): enable SA with spi 3255780763/50
R2#
Cheers,
 
 
Tormod

>>> Martin Willi <martin at strongswan.org> 07/08/2014 12:33 >>>
Hi,

> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic selectors for other:
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  10.2.0.0/24
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic selectors for other:
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  0.0.0.0/0

The unity plugin widens the traffic selector as initiator, to later
dynamically reduce it to what has been negotiated with the Split-Include
Unity extension.

If the plugin is enabled, this is done on all connections where the
Unity Vendor ID has been received, which is likely with Cisco boxes.

I've recently pushed a patch [1] which disables that behavior if no
Split-Include attribute has been received on the connection. Please try
that patch, I think it should fix this issue.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1a62fb0a



Please consider the environment before printing this email

*********************************************************************
  This e-mail and any attachments are confidential.  If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it.  If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC.  Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC.  The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC.  This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses.  PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.  ********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140807/e84070bf/attachment-0001.html>


More information about the Users mailing list