[Openswan Users] IPSec tunnet not working (EVENT_CRYPTO_FAILED, INVALID_COOKIE)

MichaelLeung gbcbooksmj at gmail.com
Fri Apr 17 00:47:28 EDT 2015 

Hi Suraj

you are using load-warrior mode,
so here is my suggestions and questions.
1.uncomment your leftsubnet.
2.specific your packet type which will be encrypted by ipsec, example: 
leftprotoprot=ip or leftprotoport=17/1701 and don't forget your rigth side
3.why do you need that NAT function ?

Michael

On 04/17/2015 11:55 AM, Suraj Mundada wrote:
> Hi,
>
> I am trying to set up a IPSec tunnel between my VPS and partner network.
>
> My VPS is a CentOS 6 server with a static public IP 69.39.93.93. For 
> partner network, I have a peer IP address and NAT address for actual 
> server.
>
> I have configured my IPSec connection according as follow:
>
> shell>yum install openswan lsof
>
> shell>vi /etc/sysctl.conf
> shell>set net.ipv4.ip_forward = 1
>
> shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT
> shell>iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
> shell>iptables -A INPUT -p udp --dport 4500 -j ACCEPT
>
> shell>iptables -t nat -A POSTROUTING -s 69.39.93.93/24 
> <http://69.39.93.93/24> -j MASQUERADE
>
> shell>route add -host 103.225.112.7 gw 69.39.93.93
> shell>/sbin/service iptables save
> shell>service iptables restart
>
> shell>/etc/init.d/ipsec restart
>
> shell>ip route
> 103.225.112.27 via 69.39.93.93 dev eth0  scope link
> 69.39.92.0/23 <http://69.39.92.0/23> dev eth0  proto kernel  scope 
> link  src 69.39.93.93
> 69.39.0.0/16 <http://69.39.0.0/16> dev eth0  scope link  metric 1002
> 69.39.0.0/16 <http://69.39.0.0/16> dev eth1  scope link  metric 1003
> default via 69.39.92.1 dev eth0
>
> shell>service ipsec status
> IPsec running  - pluto pid: 8925
> pluto pid 8925
> No tunnels up
>
>
> shell>ipsec auto --status
> ## output truncated ##
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} 
> trans={0,1,3072} attrs={0,1,2048}
> 000
> 000 "prod_cibil_ipsec": 69.39.93.93/32===69.39.93.93 
> <http://69.39.93.93/32===69.39.93.93><69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===103.225.112.27/32 
> <http://103.225.112.27/32>; prospective erouted; eroute owner: #0
> 000 "prod_cibil_ipsec":     myip=unset; hisip=unset;
> 000 "prod_cibil_ipsec":   ike_life: 3600s; ipsec_life: 28800s; 
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
> 000 "prod_cibil_ipsec":   policy: 
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; 
> interface: eth0;
> 000 "prod_cibil_ipsec":   dpd: action:clear; delay:0; timeout:0;
> 000 "prod_cibil_ipsec":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "prod_cibil_ipsec":   IKE algorithms wanted: 
> AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
> 000 "prod_cibil_ipsec":   IKE algorithms found: 
>  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "prod_cibil_ipsec":   ESP algorithms wanted: 
> AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2)
> 000 "prod_cibil_ipsec":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000
> 000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent MI2, expecting 
> MR2); EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
> 000 #827: pending Phase 2 for "prod_cibil_ipsec" replacing #0
>
> When I checked ipsec log file, I see two things that I think are the 
> issues:
> 1. inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #17
> 2. Notify Message Type: INVALID_COOKIE.
>
> Details logs and ipsec.conf are attached with the email.
>
> I went through logs line by line but could not understand root cause 
> of the issue.
>
> Need help to identify and fix the issue.
>
> Suraj
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150417/b92e8e2e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gbcbooksmj.vcf
Type: text/x-vcard
Size: 4 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150417/b92e8e2e/attachment.vcf>

More information about the Users mailing list