[Openswan Users] IPSec tunnet not working (EVENT_CRYPTO_FAILED, INVALID_COOKIE)

Fri Apr 17 01:47:48 EDT 2015

Hi Afzal,

My VPS supports ipsec. I am already using ipsec tunnel successfully on
other VPS.

Regards,
Suraj

On Fri, Apr 17, 2015 at 9:57 AM, Afzal Khan <khan.afzal at gmail.com> wrote:

> Hi Suraj
>
> Please check if your vps supports ipsec most vps will not support it
>
> Regards
> AK
>
> --
> Sent from my iPhone
>
> --
>
> On 17-Apr-2015, at 9:25 am, Suraj Mundada <surajmundada at gmail.com> wrote:
>
> Hi,
>
> I am trying to set up a IPSec tunnel between my VPS and partner network.
>
> My VPS is a CentOS 6 server with a static public IP 69.39.93.93. For
> partner network, I have a peer IP address and NAT address for actual
> server.
>
> I have configured my IPSec connection according as follow:
>
> shell>yum install openswan lsof
>
> shell>vi /etc/sysctl.conf
> shell>set net.ipv4.ip_forward = 1
>
> shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT
> shell>iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
> shell>iptables -A INPUT -p udp --dport 4500 -j ACCEPT
>
> shell>iptables -t nat -A POSTROUTING -s 69.39.93.93/24 -j MASQUERADE
>
> shell>route add -host 103.225.112.7 gw 69.39.93.93
> shell>/sbin/service iptables save
> shell>service iptables restart
>
> shell>/etc/init.d/ipsec restart
>
> shell>ip route
> 103.225.112.27 via 69.39.93.93 dev eth0  scope link
> 69.39.92.0/23 dev eth0  proto kernel  scope link  src 69.39.93.93
> 69.39.0.0/16 dev eth0  scope link  metric 1002
> 69.39.0.0/16 dev eth1  scope link  metric 1003
> default via 69.39.92.1 dev eth0
>
> shell>service ipsec status
> IPsec running  - pluto pid: 8925
> pluto pid 8925
> No tunnels up
>
>
> shell>ipsec auto --status
> ## output truncated ##
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64}
> trans={0,1,3072} attrs={0,1,2048}
> 000
> 000 "prod_cibil_ipsec": 69.39.93.93/32===69.39.93.93
> <69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===
> 103.225.112.27/32; prospective erouted; eroute owner: #0
> 000 "prod_cibil_ipsec":     myip=unset; hisip=unset;
> 000 "prod_cibil_ipsec":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
> 000 "prod_cibil_ipsec":   policy:
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
> interface: eth0;
> 000 "prod_cibil_ipsec":   dpd: action:clear; delay:0; timeout:0;
> 000 "prod_cibil_ipsec":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "prod_cibil_ipsec":   IKE algorithms wanted:
> AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
> 000 "prod_cibil_ipsec":   IKE algorithms found:
>  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "prod_cibil_ipsec":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000;
> pfsgroup=MODP1024(2)
> 000 "prod_cibil_ipsec":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000
> 000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
> EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
> 000 #827: pending Phase 2 for "prod_cibil_ipsec" replacing #0
>
> When I checked ipsec log file, I see two things that I think are the
> issues:
> 1. inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #17
> 2. Notify Message Type: INVALID_COOKIE.
>
> Details logs and ipsec.conf are attached with the email.
>
> I went through logs line by line but could not understand root cause of
> the issue.
>
> Need help to identify and fix the issue.
>
> Suraj
>
> <dev-ipsec-log.txt>
>
> <ipsec.conf>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150417/431441ce/attachment.html>