[Openswan Users] Hung at - #1: pending Phase 2 for "Connection1/1x1" replacing #0

Patrick Naubert patrickn at xelerance.com
Tue Aug 25 08:17:17 EDT 2015


Rescued from the Spam bucket.  Please remember to subscribe to the mailing list before posting to it.

From: "CAQUINEAU, Pierre-Alexandre" <pacaquineau at free.fr <mailto:pacaquineau at free.fr>>
Subject: RE: [Openswan Users] Hung at - #1: pending Phase 2 for	"Connection1/1x1" replacing #0
Date: August 24, 2015 at 4:13:29 AM EDT
To: "'Prakash Palanisamy'" <ppalanisamy at sdl.com <mailto:ppalanisamy at sdl.com>>
Cc: <users at lists.openswan.org <mailto:users at lists.openswan.org>>


Hi,
 
Please add on your Openswan configuration this entry : rightid=@Connection1-ASA.global.sdl.corp <mailto:rightid=@Connection1-ASA.global.sdl.corp>
 
conn Connection1 # Connection Name
       type=tunnel
        authby=secret
        auto=start
        pfs=yes
        ike=aes256-sha1;modp1536!
        phase2alg=aes256-sha1;modp1536
        ikelifetime=28800s
       salifetime=3600s
        left=%defaultroute
        leftid=52.17.237.123
        leftsubnets={172.21.8.0/24}
        right=87.213.46.220
        rightid=@Connection1-ASA.global.sdl.corp <mailto:righted=@Connection1-ASA.global.sdl.corp>
        rightsubnets={10.100.0.0/16}
 
Logs :
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: we require peer to have ID '87.213.46.220', but peer declares '@Connection1-ASA.global.sdl.corp'
 
Or other method, you can add this directive on your firewall ASA  and on Openswan you change Rightid by rightid=87.213.46.220
Openswan :
rightid='87.213.46.220
 
ASA :
crypto isakmp identity address
 
 
++
De : Users [mailto:users-bounces at lists.openswan.org <mailto:users-bounces at lists.openswan.org>] De la part de Prakash Palanisamy
Envoyé : lundi 24 août 2015 10:02
À : users at lists.openswan.org <mailto:users at lists.openswan.org>
Objet : [Openswan Users] Hung at - #1: pending Phase 2 for "Connection1/1x1" replacing #0
 
VPN connection between Linux Openswan U2.6.38 (Ubuntu EC2 instance in VPC with EIP) & Cisco ASA 5510 got stuck at “#1: pending Phase 2 for "Connection1/1x1" replacing #0”.
 
Please find below the complete details about the setup & logs. Any guidance would be helpful.
 
Configuration details at ASA:
 
No Nat and Access-list :
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
access-list Outside_cryptomap_120 extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
 
Phase 1 ( any one of the policy will be picked up, here for aws tunnel the phase 1 policy is 60 ) :
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 60
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
 
 
Crypto and PHase 2 :
crypto map Outside_map 120 match address Outside_cryptomap_120
crypto map Outside_map 120 set pfs
crypto map Outside_map 120 set peer 52.17.237.123
crypto map Outside_map 120 set transform-set ESP-AES-256-SHA
crypto map Outside_map 120 set security-association lifetime seconds 3600
 
tunnel-group 52.17.237.123 type ipsec-l2l
tunnel-group 52.17.237.123 ipsec-attributes
pre-shared-key ********
 
Transform set :
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
 
Configuration at OpenSwan:
config setup
        protostack=netkey
        nat_traversal=no
 
conn Connection1 # Connection Name
       type=tunnel
        authby=secret
        auto=start
        pfs=yes
        ike=aes256-sha1;modp1536!
        phase2alg=aes256-sha1;modp1536
        ikelifetime=28800s
       salifetime=3600s
        left=%defaultroute
        leftid=52.17.237.123
        leftsubnets={172.21.8.0/24}
        right=87.213.46.220
        rightsubnets={10.100.0.0/16}
 
Snippet of whack status:
000 "Connection1/1x1": 172.21.8.0/24===172.21.8.43[52.17.237.123]...87.213.46.220<87.213.46.220>===10.100.0.0/16; unrouted; eroute owner: #0
000 "Connection1/1x1":     myip=unset; hisip=unset;
000 "Connection1/1x1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Connection1/1x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,16; interface: eth0;
000 "Connection1/1x1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "Connection1/1x1":   aliases: Connection1
000 "Connection1/1x1":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=strict
000 "Connection1/1x1":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
000 "Connection1/1x1":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "Connection1/1x1":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #8: "Connection1/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 8s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #7: "Connection1/1x1":500 STATE_MAIN_R2 (sent MR2, expecting MI3); EVENT_RETRANSMIT in 21s; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #1: "Connection1/1x1":500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "Connection1/1x1" replacing #0
 
Auth logs:
Aug 24 07:46:27 gateway3 ipsec__plutorun: Starting Pluto subsystem...
Aug 24 07:46:27 gateway3 pluto[21900]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:21900
Aug 24 07:46:27 gateway3 pluto[21900]: LEAK_DETECTIVE support [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: OCF support for IKE [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: SAref support [disabled]: Protocol not available
Aug 24 07:46:27 gateway3 pluto[21900]: SAbind support [disabled]: Protocol not available
Aug 24 07:46:27 gateway3 pluto[21900]: NSS support [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: HAVE_STATSD notification support not compiled in
Aug 24 07:46:27 gateway3 pluto[21900]: Setting NAT-Traversal port-4500 floating to off
Aug 24 07:46:27 gateway3 pluto[21900]:    port floating activation criteria nat_t=0/port_float=1
Aug 24 07:46:27 gateway3 pluto[21900]:    NAT-Traversal support  [disabled]
Aug 24 07:46:27 gateway3 pluto[21900]: using /dev/urandom as source of random entropy
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: starting up 1 cryptographic helpers
Aug 24 07:46:27 gateway3 pluto[21900]: started helper pid=21903 (fd:6)
Aug 24 07:46:27 gateway3 pluto[21900]: Using Linux 2.6 IPsec interface code on 3.13.0-53-generic (experimental code)
Aug 24 07:46:27 gateway3 pluto[21903]: using /dev/urandom as source of random entropy
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists
Aug 24 07:46:27 gateway3 pluto[21900]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Aug 24 07:46:27 gateway3 pluto[21900]: added connection description "Connection1/1x1"
Aug 24 07:46:27 gateway3 pluto[21900]: listening for IKE messages
Aug 24 07:46:27 gateway3 pluto[21900]: adding interface eth0/eth0 172.21.8.43:500
Aug 24 07:46:27 gateway3 pluto[21900]: adding interface lo/lo 127.0.0.1:500
Aug 24 07:46:27 gateway3 pluto[21900]: adding interface lo/lo ::1:500
Aug 24 07:46:27 gateway3 pluto[21900]: loading secrets from "/etc/ipsec.secrets"
Aug 24 07:46:27 gateway3 pluto[21900]: initiating all conns with alias='Connection1'
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: initiating Main Mode
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: received Vendor ID payload [Cisco-Unity]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: received Vendor ID payload [XAUTH]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: ignoring unknown Vendor ID payload [fcf4799afa86cc27fe698e78bd2eba5f]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: we require peer to have ID '87.213.46.220', but peer declares '@Connection1-ASA.global.sdl.corp'
Aug 24 07:46:27 gateway3 pluto[21900]: "Connection1/1x1" #1: sending encrypted notification INVALID_ID_INFORMATION to 87.213.46.220:500
Aug 24 07:46:28 gateway3 pluto[21900]: packet from 87.213.46.220:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0xab33e4a2
Aug 24 07:46:29 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:29 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:29 gateway3 pluto[21900]: |   48 70 2e a3  52 84 62 3a  36 27 ad e2  4e b8 a0 4f
Aug 24 07:46:29 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:46:34 gateway3 pluto[21900]: packet from 87.213.46.220:500: phase 1 message is part of an unknown exchange
Aug 24 07:46:37 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:37 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:37 gateway3 pluto[21900]: |   48 70 2e a3  52 84 62 3a  36 27 ad e2  4e b8 a0 4f
Aug 24 07:46:37 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:46:42 gateway3 pluto[21900]: packet from 87.213.46.220:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x690eb3ad
Aug 24 07:46:45 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:45 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:45 gateway3 pluto[21900]: |   48 70 2e a3  52 84 62 3a  36 27 ad e2  4e b8 a0 4f
Aug 24 07:46:45 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:46:53 gateway3 pluto[21900]: "Connection1/1x1" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
Aug 24 07:46:53 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:46:53 gateway3 pluto[21900]: |   48 70 2e a3  52 84 62 3a  36 27 ad e2  4e b8 a0 4f
Aug 24 07:46:53 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: next payload type of ISAKMP Hash Payload has an unknown value: 192
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: malformed payload in packet
Aug 24 07:47:01 gateway3 pluto[21900]: | payload malformed after IV
Aug 24 07:47:01 gateway3 pluto[21900]: |   48 70 2e a3  52 84 62 3a  36 27 ad e2  4e b8 a0 4f
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: sending notification PAYLOAD_MALFORMED to 87.213.46.220:500
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: next payload type of ISAKMP Hash Payload has an unknown value: 146
Aug 24 07:47:01 gateway3 pluto[21900]: "Connection1/1x1" #1: malformed payload in packet
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Aug 24 07:47:02 gateway3 pluto[21900]: packet from 87.213.46.220:500: ignoring Vendor ID payload [Cisco IKE Fragmentation]
 
Iptables rules:
# iptables -t nat -n -L --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination
 
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
 
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
 
Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  172.21.8.0/24        10.100.0.0/16
2    MASQUERADE  all  --  172.21.8.0/24        0.0.0.0/0
 
Thanks,
Prakash

  <x-msg://1/www.sdl.com/>
www.sdl.com <http://www.sdl.com/>
 
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207. 
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK. 



This message has been scanned for malware by Websense. www.websense.com <http://www.websense.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150825/c4d6b99b/attachment-0001.html>


More information about the Users mailing list