[Openswan Users] Hung at - #1: pending Phase 2 for "Connection1/1x1" replacing #0
Prakash Palanisamy
ppalanisamy at sdl.com
Mon Aug 24 04:02:09 EDT 2015
VPN connection between Linux Openswan U2.6.38 (Ubuntu EC2 instance in VPC with EIP) & Cisco ASA 5510 got stuck at “#1: pending Phase 2 for "Connection1/1x1" replacing #0”.
Please find below the complete details about the setup & logs. Any guidance would be helpful.
Configuration details at ASA:
No Nat and Access-list :
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
access-list Outside_cryptomap_120 extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
Phase 1 ( any one of the policy will be picked up, here for aws tunnel the phase 1 policy is 60 ) :
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 60
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
Crypto and PHase 2 :
crypto map Outside_map 120 match address Outside_cryptomap_120
crypto map Outside_map 120 set pfs
crypto map Outside_map 120 set peer 52.17.237.123
crypto map Outside_map 120 set transform-set ESP-AES-256-SHA
crypto map Outside_map 120 set security-association lifetime seconds 3600
tunnel-group 52.17.237.123 type ipsec-l2l
tunnel-group 52.17.237.123 ipsec-attributes
pre-shared-key ********
Transform set :
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
Configuration at OpenSwan:
config setup
protostack=netkey
nat_traversal=no
conn Connection1 # Connection Name
type=tunnel
authby=secret
auto=start
pfs=yes
ike=aes256-sha1;modp1536!
phase2alg=aes256-sha1;modp1536
ikelifetime=28800s
salifetime=3600s
left=%defaultroute
leftid=52.17.237.123
leftsubnets={172.21.8.0/24}
right=87.213.46.220
rightsubnets={10.100.0.0/16}
Snippet of whack status:
000 "Connection1/1x1": 172.21.8.0/24===172.21.8.43[52.17.237.123]...87.213.46.220<87.213.46.220>===10.100.0.0/16; unrouted; eroute owner: #0
000 "Connection1/1x1": myip=unset; hisip=unset;
000 "Connection1/1x1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Connection1/1x1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,16; interface: eth0;
000 "Connection1/1x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Connection1/1x1": aliases: Connection1
000 "Connection1/1x1": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=strict
000 "Connection1/1x1": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
000 "Connection1/1x1": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "Connection1/1x1": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #8: "Connection1/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #7: "Connection1/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 21s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #1: "Connection1/1x1":500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "Connection1/1x1" replacing #0
Auth logs:
Aug 24 07:46:27 gateway3 ipsec__plutorun: Starting Pluto subsystem...
Aug 24 07:46:27 gateway3 pluto[21900]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:21900
Aug 24 07:46:27 gateway3 pluto[21900]: LEAK_DETECTIVE support [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: OCF support for IKE [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: SAref support [disabled]: Protocol not available
Aug 24 07:46:27 gateway3 pluto[21900]: SAbind support [disabled]: Protocol not available
Aug 24 07:46:27 gateway3 pluto[21900]: NSS support [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: HAVE_STATSD notification support not compiled in
Aug 24 07:46:27 gateway3 pluto[21900]: Setting NAT-Traversal port-4500 floating to off
Aug 24 07:46:27 gateway3 pluto[21900]: port floating activation criteria nat_t=0/port_float=1
Aug 24 07:46:27 gateway3 pluto[21900]: NAT-Traversal support [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: using /dev/urandom as source of random entropy
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: starting up 1 cryptographic helpers
Aug 24 07:46:27 gateway3 pluto[21900]: started helper pid=21903 (fd:6)
Aug 24 07:46:27 gateway3 pluto[21900]: Using Linux 2.6 IPsec interface code on 3.13.0-53-generic (experimental code)
Aug 24 07:46:27 gateway3 pluto[21903]: using /dev/urandom as source of random entropy
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: added connection description "Connection1/1x1"
Aug 24 07:46:27 gateway3 pluto[21900]: listening for IKE messages
Aug 24 07:46:27 gateway3 pluto[21900]: adding interface eth0/eth0 172.21.8.43:500
Aug 24 07:46:27 gateway3 pluto[21900]: adding interface lo/lo 127.0.0.1:500
Aug 24 07:46:27 gateway3 pluto[21900]: adding interface lo/lo ::1:500
Aug 24 07:46:27 gateway3 pluto[21900]: loading secrets from "/etc/ipsec.secrets"
Aug 24 07:46:27 gateway3 pluto[21900]: initiating all conns with alias='Connection1'
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: initiating Main Mode
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: received Vendor ID payload [Cisco-Unity]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: received Vendor ID payload [XAUTH]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: ignoring unknown Vendor ID payload [fcf4799afa86cc27fe698e78bd2eba5f]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: we require peer to have ID '87.213.46.220', but peer declares '@Connection1-ASA.global.sdl.corp'
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 87.213.46.220:500
Aug 24 07:46:28 gateway3 pluto[21900]: packet from 87.213.46.220:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xab33e4a2
Aug 24 07:46:29 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:29 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:29 gateway3 pluto[21900]: | 48 70 2e a3 52 84 62 3a 36 27 ad e2 4e b8 a0 4f
Aug 24 07:46:29 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:46:34 gateway3 pluto[21900]: packet from 87.213.46.220:500: phase 1 message is part of an unknown exchange
Aug 24 07:46:37 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:37 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:37 gateway3 pluto[21900]: | 48 70 2e a3 52 84 62 3a 36 27 ad e2 4e b8 a0 4f
Aug 24 07:46:37 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:46:42 gateway3 pluto[21900]: packet from 87.213.46.220:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x690eb3ad
Aug 24 07:46:45 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:45 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:45 gateway3 pluto[21900]: | 48 70 2e a3 52 84 62 3a 36 27 ad e2 4e b8 a0 4f
Aug 24 07:46:45 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:46:53 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:53 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:53 gateway3 pluto[21900]: | 48 70 2e a3 52 84 62 3a 36 27 ad e2 4e b8 a0 4f
Aug 24 07:46:53 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: next payload type of ISAKMP Hash Payload has an unknown value: 192
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: malformed payload in packet
Aug 24 07:47:01 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:47:01 gateway3 pluto[21900]: | 48 70 2e a3 52 84 62 3a 36 27 ad e2 4e b8 a0 4f
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: next payload type of ISAKMP Hash Payload has an unknown value: 146
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: malformed payload in packet
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Iptables rules:
# iptables -t nat -n -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 172.21.8.0/24 10.100.0.0/16
2 MASQUERADE all -- 172.21.8.0/24 0.0.0.0/0
Thanks,
Prakash
[http://dr0muzwhcp26z.cloudfront.net/static/corporate/SDL-logo-2014.png] <www.sdl.com/>
www.sdl.com
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.
SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207.
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
This message has been scanned for malware by Websense. www.websense.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150824/4d740add/attachment-0001.html>
More information about the Users
mailing list