<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>Rescued from the spam bucket. Please remember to subscribe to
the mailing list before posting to it.</p>
<div class="moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="moz-email-headers-table" border="0" cellpadding="0"
cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Subject:
</th>
<td>Re: [Openswan Users] Connection to Huawei VRP</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">Date: </th>
<td>Thu, 03 Nov 2016 12:00:27 +0000</td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">From: </th>
<td>Daniel Cave <a class="moz-txt-link-rfc2396E" href="mailto:dan.cave@icloud.com"><dan.cave@icloud.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">To: </th>
<td>Ian Barnes <a class="moz-txt-link-rfc2396E" href="mailto:ian.lidtech@gmail.com"><ian.lidtech@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap="nowrap" valign="BASELINE">CC: </th>
<td>Samir Hussain <a class="moz-txt-link-rfc2396E" href="mailto:shussain@xelerance.com"><shussain@xelerance.com></a>, Openswan
List <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.openswan.org"><users@lists.openswan.org></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Ian..
<div class=""><br class="">
</div>
<div class="">I spent quite a lot of time last year with getting
OpenSwan working with a Cisco VPN concentrator working based on
what initially appeared to be a straight forward Ipsec lan to
lan connection..</div>
<div class=""><br class="">
</div>
<div class="">Some of the things i’ve learned about IPSec and
network vendors is that inter-op is an issue as all vendors
treat some of the setups differently.</div>
<div class=""><br class="">
</div>
<div class="">Looking at the PasteBin logs I’ve seen a number of
Phase 1/IKE issues which i previously ran into.</div>
<div class=""><br class="">
</div>
<div class="">1. do your peer IP’s match ? - the logs mention
something in the IKE about the External IP existing or missing.</div>
<div class=""><br class="">
</div>
<div class="">
<ol class="text" style="color: rgb(172, 172, 172);
background-color: rgb(247, 247, 247); margin: 0px; padding:
0px 0px 0px 55px; font-family: Consolas, Menlo, Monaco,
'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono',
'Bitstream Vera Sans Mono', monospace, serif;
font-variant-ligatures: normal; orphans: 2; widows: 2;
background-position: initial initial; background-repeat:
initial initial;">
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;">Nov 2 2016 16:21:12.70.6 Huawei-Host
IKE/7/DEBUG:Slot=1/3,Vcpu=0; checking externalIP
&& 1...</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo ter</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;">Nov 2 2016 16:21:12.70.7 Huawei-Host
IKE/7/DEBUG:Slot=1/3,Vcpu=0;exchange establish phase1:
exchange for peer "externalIP" already exist</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo ter</div>
</li>
<li class="li2" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de2" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;">Nov 2 2016 16:21:12.70.8 Huawei-Host
IKE/7/DEBUG:Slot=1/3,Vcpu=0;release transport: transport
74b17430 had 1 references</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo ter</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;">Nov 2 2016 16:21:12.70.9 Huawei-Host
IKE/7/DEBUG:Slot=1/3,Vcpu=0;release transport:: freeing
74b17430</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo termin</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo terminal moni</div>
</li>
<li class="li2" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de2" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo terminal monitor</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo terminal monitor</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;">Nov 2 2016 16:21:22.120.1 Huawei-Host
IKE/7/DEBUG:Slot=1/3,Vcpu=0;pf_key_v2_acquire: tos src
0xff dst 0xff</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;"><Huawei-Host>undo terminal monitor</div>
</li>
<li class="li1" style="user-select: none; background: rgb(255,
255, 255); margin: 0px 0px 0px -6px;">
<div class="de1" style="padding: 0px 8px; vertical-align:
top; color: rgb(51, 51, 51); border-left-width: 1px;
border-left-style: solid; border-left-color: rgb(221, 221,
221); margin: 0px 0px 0px -7px; position: relative;
background-position: initial initial; background-repeat:
initial initial;">Nov 2 2016 16:21:22.120.2 Huawei-Host
IKE/7/DEBUG:Slot=1/3,Vcpu=0;Check connection: SA for
externalIP,localid-1-25 missing</div>
</li>
</ol>
<div style="orphans: 2; widows: 2;" class=""><font class=""
color="#acacac" face="Consolas, Menlo, Monaco, Lucida
Console, Liberation Mono, DejaVu Sans Mono, Bitstream Vera
Sans Mono, monospace, serif"><br class="">
</font></div>
</div>
<div style="orphans: 2; widows: 2;" class=""><br class="">
</div>
<div style="orphans: 2; widows: 2;" class="">2, are they using the
correct PSK with the correct IP Address which you’re presenting
via Openswan ? </div>
<div style="orphans: 2; widows: 2;" class="">3. I see from the
email you sent earlier that they’re looking to negotiate using
3des-sha1. </div>
<div style="orphans: 2; widows: 2;" class=""><br class="">
</div>
<div style="orphans: 2; widows: 2;" class="">if you do an ipsec
status on the box locally you’ll see all the cyphers and
transform sets/algo’s it supports, send them a copy of this in a
rationalised format in xls/ email. Just to be sure.. I noticed
that when i couldn’t get the cisco to talk to our Openswan box,
someone (on this forum) actually pointed out to me that the
racoon daemon should actually negotiate all the cyphers with my
peer from the most secure through to the least. however most
third party boxes won’t accept that and you have to specify it..
</div>
<div style="orphans: 2; widows: 2;" class=""><br class="">
</div>
<div style="orphans: 2; widows: 2;" class="">Have you tried just a
straight forward LeftID/ right ID / subnets -? </div>
<div style="orphans: 2; widows: 2;" class=""><br class="">
</div>
<div style="orphans: 2; widows: 2;" class="">I also noticed you
had rekeying turned off - i would comment that out. I’ve never
set that, unless your third party has explicitly told you to
turn it off.</div>
<div style="orphans: 2; widows: 2;" class=""><br class="">
</div>
<div style="orphans: 2; widows: 2;" class=""><br class="">
</div>
<div class="">It looks to me like there might be a
misconfiguration somewhere</div>
</div>
</body>
</html>