[Openswan Users] IPSec tunnet not working (EVENT_CRYPTO_FAILED, INVALID_COOKIE)

Suraj Mundada surajmundada at gmail.com
Fri Apr 17 01:57:33 EDT 2015


Hi Michael,

1. leftsubnet is already uncommented in ipsec.conf. Do you mean to comment
it?

2. Not sure how should I specify packet type. Can you please give specific
instruction?

3. My partner network has many servers. These servers are behind a gateway
or router. Partner has given me a IP address 103.225.112.4 for gateway
(They call it as peer address) and also a ip address of server
103.225.112.27 which I want to connect to. For this, I believe I need to
use NAT. Please correct me if wrong.

Regards,
Suraj

On Fri, Apr 17, 2015 at 10:17 AM, MichaelLeung <gbcbooksmj at gmail.com> wrote:

>  Hi Suraj
>
> you are using load-warrior mode,
> so here is my suggestions and questions.
> 1.uncomment your leftsubnet.
> 2.specific your packet type which will be encrypted by ipsec, example:
> leftprotoprot=ip or leftprotoport=17/1701 and don't forget your rigth side
> 3.why do you need that NAT function ?
>
> Michael
>
>
> On 04/17/2015 11:55 AM, Suraj Mundada wrote:
>
>  Hi,
>
>  I am trying to set up a IPSec tunnel between my VPS and partner network.
>
>  My VPS is a CentOS 6 server with a static public IP 69.39.93.93. For
> partner network, I have a peer IP address and NAT address for actual
> server.
>
>  I have configured my IPSec connection according as follow:
>
>  shell>yum install openswan lsof
>
>  shell>vi /etc/sysctl.conf
> shell>set net.ipv4.ip_forward = 1
>
>  shell>iptables -A INPUT -p udp --dport 500 -j ACCEPT
> shell>iptables -A INPUT -p tcp --dport 4500 -j ACCEPT
> shell>iptables -A INPUT -p udp --dport 4500 -j ACCEPT
>
>  shell>iptables -t nat -A POSTROUTING -s 69.39.93.93/24 -j MASQUERADE
>
>  shell>route add -host 103.225.112.7 gw 69.39.93.93
> shell>/sbin/service iptables save
> shell>service iptables restart
>
>  shell>/etc/init.d/ipsec restart
>
>  shell>ip route
> 103.225.112.27 via 69.39.93.93 dev eth0  scope link
> 69.39.92.0/23 dev eth0  proto kernel  scope link  src 69.39.93.93
> 69.39.0.0/16 dev eth0  scope link  metric 1002
> 69.39.0.0/16 dev eth1  scope link  metric 1003
> default via 69.39.92.1 dev eth0
>
>  shell>service ipsec status
> IPsec running  - pluto pid: 8925
> pluto pid 8925
> No tunnels up
>
>
>  shell>ipsec auto --status
> ## output truncated ##
> 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64}
> trans={0,1,3072} attrs={0,1,2048}
> 000
> 000 "prod_cibil_ipsec": 69.39.93.93/32===69.39.93.93
> <69.39.93.93>[+S=C]---104.245.38.1...103.225.112.4<103.225.112.4>[+S=C]===
> 103.225.112.27/32; prospective erouted; eroute owner: #0
> 000 "prod_cibil_ipsec":     myip=unset; hisip=unset;
> 000 "prod_cibil_ipsec":   ike_life: 3600s; ipsec_life: 28800s;
> rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
> 000 "prod_cibil_ipsec":   policy:
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
> interface: eth0;
> 000 "prod_cibil_ipsec":   dpd: action:clear; delay:0; timeout:0;
> 000 "prod_cibil_ipsec":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "prod_cibil_ipsec":   IKE algorithms wanted:
> AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
> 000 "prod_cibil_ipsec":   IKE algorithms found:
>  AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
> 000 "prod_cibil_ipsec":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000;
> pfsgroup=MODP1024(2)
> 000 "prod_cibil_ipsec":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
> 000
> 000 #827: "prod_cibil_ipsec":500 STATE_MAIN_I2 (sent MI2, expecting MR2);
> EVENT_RETRANSMIT in 11s; nodpd; idle; import:admin initiate
> 000 #827: pending Phase 2 for "prod_cibil_ipsec" replacing #0
>
>  When I checked ipsec log file, I see two things that I think are the
> issues:
> 1. inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #17
> 2. Notify Message Type: INVALID_COOKIE.
>
>  Details logs and ipsec.conf are attached with the email.
>
>  I went through logs line by line but could not understand root cause of
> the issue.
>
>  Need help to identify and fix the issue.
>
>  Suraj
>
>
> _______________________________________________Users at lists.openswan.orghttps://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150417/7706065d/attachment-0001.html>


More information about the Users mailing list