[Openswan Users] [SUMMARY] Re: Connection is getting reset every few seconds

Daniel Cave dan.cave at me.com
Wed Sep 2 09:26:24 EDT 2015


Prakesh.

I'm glad you've got this working.... It appears to be a common issue with Cisco's, i.e. it doesn't work from cisco to non cisco device..  I've found that the best way to get Cisco/ASA <--> OpenSwan stuff working is to just specify the standard left/right hand side networks and leave OpenSwan to auto-negotiate and connect to the Cisco kit based on what the cisco allows.  I had a very similar problem with the Amazon VPN devices and inter-op with pfSense (BSD + StrongSwan)  and Amazon stuff which isn't specifically cisco, but they don't tell you exactly what it is... anyhow after a lot of headaches i was speaking to the Cisco/network guy at our third party and he suggested we went with 3des-md3 and 'it worked' - despite us trying sha1-aes128/aes256.

ttfn

On Sep 02, 2015, at 01:22 PM, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:

Thanks a lot Daniel, that did the trick.
 
Interestingly it works only when we comment out or remove ike & phase2alg from the config file, it doesn’t work even if we specify “3des-md5;modp1536”
 
Regards,
Prakash
 


 
http://www.sdl.com 



SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207. 
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.

From: Daniel Cave [mailto:dan.cave at me.com] 
Sent: Tuesday, September 1, 2015 6:45 PM
To: Prakash Palanisamy <ppalanisamy at sdl.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Connection is getting reset every few seconds
 
Prakesh,
 
What happens when you set both sides of the Ipsec (asa and OpenSwan ) to use 3des-md5 ?  i noticed you had the same compatibility problems with AES-Sha256 that I did..  Your start up logs are telling you that on the OpenSwan server..
 
 It seems the ASA does not like the OpenSwan proposal for AES(256)-SHA.. if you comment out the phase 1&2 specific negotiation on the OpenSwan side, restart that, then re-configure the ASA to use 3des-md5 - i believe it should work - as this is what we're using.
 
Hope that helps.
 
 
d.
On Aug 27, 2015, at 03:44 PM, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:

Hi Daniel,
 
Please find below the complete details. Will it be something to do with different DPD timeout configuration at both the ends?
 
Configuration details at ASA:
 
No Nat and Access-list :
access-list inside_nat0_outbound extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
access-list Outside_cryptomap_120 extended permit ip 10.100.0.0 255.255.0.0 172.21.8.0 255.255.255.0
 
Phase 1 ( any one of the policy will be picked up, here for aws tunnel the phase 1 policy is 60 ) :
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 60
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 28800
 
 
Crypto and PHase 2 :
crypto map Outside_map 120 match address Outside_cryptomap_120
crypto map Outside_map 120 set pfs
crypto map Outside_map 120 set peer 52.17.237.123
crypto map Outside_map 120 set transform-set ESP-AES-256-SHA
crypto map Outside_map 120 set security-association lifetime seconds 3600
 
tunnel-group 52.17.237.123 type ipsec-l2l
tunnel-group 52.17.237.123 ipsec-attributes
pre-shared-key ********
 
Transform set :
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
 
Configuration at OpenSwan:
config setup
        protostack=netkey
        nat_traversal=no
 
conn Connection1 # Connection Name
       type=tunnel
        authby=secret
        auto=start
        pfs=yes
        ike=aes256-sha1;modp1536!
        phase2alg=aes256-sha1;modp1536
        ikelifetime=28800s
        salifetime=3600s
        left=%defaultroute
        leftid=52.17.237.123
        leftsubnets={172.21.8.0/24}
        right=87.213.46.220
        rightsubnets={10.100.0.0/16}
 
ipsec status:
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.21.8.61
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,3,64} trans={0,3,3072} attrs={0,3,2048}
000
000 "Connection1/1x1": 172.21.8.0/24===172.21.8.61[52.17.237.123]...87.213.46.220<87.213.46.220>===10.100.0.0/16; erouted; eroute owner: #4
000 "Connection1/1x1":     myip=unset; hisip=unset;
000 "Connection1/1x1":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "Connection1/1x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,16; interface: eth0;
000 "Connection1/1x1":   newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "Connection1/1x1":   aliases: Connection1
000 "Connection1/1x1":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1536(5); flags=strict
000 "Connection1/1x1":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP1536(5)
000 "Connection1/1x1":   IKE algorithm newest: AES_CBC_256-SHA1-MODP1536
000 "Connection1/1x1":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "Connection1/1x1":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "Connection1/1x1":   ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=MODP1536
000
000 #5: "Connection1/1x1":500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 18s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #4: "Connection1/1x1":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3252s; newest IPSEC; eroute owner; isakmp#3; idle; import:not set
000 #4: "Connection1/1x1" esp.70598aa at 87.213.46.220 esp.6fd8d5cc at 172.21.8.61 tun.0 at 87.213.46.220 tun.0 at 172.21.8.61 ref=0 refhim=4294901761
000 #3: "Connection1/1x1":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28452s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
 
Thanks,
Prakash
 
 

 
http://www.sdl.com

 
 
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207. 
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
 
From: Daniel Cave [mailto:dan.cave at me.com] 
Sent: Thursday, August 27, 2015 3:50 PM
To: Prakash Palanisamy <ppalanisamy at sdl.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Connection is getting reset every few seconds
 
Hi Prakash, I think you misunderstood me (as I didn't make myself very clear)
 
I think the issues you're getting are configuration related  at either side and not related to the EC2 instance specifically.
 
Can you post your config file from both sizes, it looks like - from your logs that Phase1/2 are not negotiating correctly and there's some kind of mismatch in timings .
 
Where im working, we have setup an EC2 instance, t2.small to a client in the USA, on a Cisco ASA 5510.. 3des-md5.. the tunnel has been up for months.. we're using the same version of OpenSwan/racoon that you are.
 
What I did originally was to remove any options to set phase1/2 algorithms and commented them out in my config until i got a working config on the openswan side.
 
if you run 'ipsec auto status' what do you see ?
 
it should look *something* like this 
 
# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.11.44.240
000 interface eth0/eth0 172.11.44.240
000 interface tun0/tun0 10.8.0.1
000 interface tun0/tun0 10.8.0.1
000 %myid = (none)
000 debug none
000  
000 virtual_private (%priv):
000 - allowed 0 subnets: 
000 - disallowed 0 subnets: 
000 WARNING: Either virtual_private= is not specified, or there is a syntax 
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,11,64} trans={0,11,3072} attrs={0,11,2048} 
000  
000 "idc-dr/1x1": 172.11.44.0/16===172.11.44.240[52.x.x.x]...172.11.44.1---72.11.62.33<72.11.62.33>===192.168.30.0/24; erouted; eroute owner: #171
000 "idc-dr/1x1":     myip=172.11.44.240; hisip=unset;
000 "idc-dr/1x1":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
000 "idc-dr/1x1":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0; 
000 "idc-dr/1x1":   newest ISAKMP SA: #169; newest IPsec SA: #171; 
000 "idc-dr/1x1":   aliases: idc-dr 
000 "idc-dr/1x1":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1536(5), 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "idc-dr/1x1":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1536(5)3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "idc-dr/1x1":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "idc-dr/1x1":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; flags=-strict
000 "idc-dr/1x1":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "idc-dr/1x1":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000  
000 #171: "idc-dr/1x1":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 24593s; newest IPSEC; eroute owner; isakmp#169; idle; import:not set
000 #171: "idc-dr/1x1" esp.ace0ffe6 at 72.11.62.33 esp.7cc12623 at 172.11.44.240 tun.0 at 72.11.62.33 tun.0 at 172.11.44.240 ref=0 refhim=4294901761
000 #169: "idc-dr/1x1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 45423s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000  
 
start off by posting the configs from both sides (ipsec.conf / cisco asa) and check your phase 1/2 key times
 
On Aug 27, 2015, at 10:14 AM, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:

Hi Daniel,
 
Thanks for your input. I tried different instance types, even with m4.2xlarge which got High Network performance & Enhanced Networking I could see the connection is getting reset after 90 seconds.
 
Thanks,
Prakash
 
 

 
http://www.sdl.com

 
 
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207. 
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
 
From: Daniel Cave [mailto:dan.cave at me.com] 
Sent: Wednesday, August 26, 2015 10:36 PM
To: Prakash Palanisamy <ppalanisamy at sdl.com>
Cc: users at lists.openswan.org
Subject: Re: [Openswan Users] Connection is getting reset every few seconds
 
If you search the archives I had a similar problem about four months ago with an Asa except my instance in aws was too small for the volume of traffic I was using it for and my openSwan tunnel kept collapsing randomly. 

Sent from my iPhone

On 26 Aug 2015, at 18:22, Prakash Palanisamy <ppalanisamy at sdl.com> wrote:

I have modified the config to set “rekey=no” based on feedback from lots of other threads, but this doesn’t help. I have requested for details at ASA to check the renegotiation policy at the other end.
 
What would be the other possible reasons for continuous reset?
 
Thanks,
Prakash
 

 
www.sdl.com

 
 
 
 
SDL PLC confidential, all rights reserved. If you are not the intended recipient of this mail SDL requests and requires that you delete it without acting upon or copying any of its contents, and we further request that you advise us.

SDL PLC is a public limited company registered in England and Wales. Registered number: 02675207. 
Registered address: Globe House, Clivemont Road, Maidenhead, Berkshire SL6 7DY, UK.
 
From: Prakash Palanisamy 
Sent: Monday, August 24, 2015 4:54 PM
To: 'users at lists.openswan.org' <users at lists.openswan.org>
Subject: Connection is getting reset every few seconds
 
VPN connection between Linux Openswan U2.6.38 (Ubuntu EC2 instance in VPC with EIP) & Cisco ASA 5510 is getting reset every few seconds. Earlier today with the help of the community I solved the another problem with “pending phase 2” issue and after that we see that the connection is being very flaky.
 
Other details about the setup can be found in my previous thread - https://lists.openswan.org/pipermail/users/2015-August/023391.html
 
Auth logs:
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: initiating Main Mode
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [Cisco-Unity]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [XAUTH]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring unknown Vendor ID payload [ec43b53de4bd9e2ec73fcf4ea211143f]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Vendor ID payload [Dead Peer Detection]
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:b9dab225 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1536}
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: ignoring informational payload, type NO_PROPOSAL_CHOSEN msgid=00000000
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received and ignored informational message
Aug 24 13:35:52 gateway3 pluto[31154]: "Connection1/1x1" #1: received Delete SA payload: deleting ISAKMP State #1
Aug 24 13:35:52 gateway3 pluto[31154]: packet from 87.213.46.220:500: received and ignored informational message
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: received Vendor ID payload [RFC 3947] meth=115, but port floating is off
Aug 24 13:35:58 gateway3 pluto[31154]: packet from 87.213.46.220:500: ignoring Vendor ID payload [Cisco IKE Fragmentation]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: responding to Main Mode
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_3DES_CBC (192), OAKLEY_MD5, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (128), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Oakley Transform [OAKLEY_AES_CBC (256), OAKLEY_SHA1, OAKLEY_GROUP_MODP1024] refused due to strict flag
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [Cisco-Unity]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [XAUTH]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring unknown Vendor ID payload [f7d4c0744bc4c632afa9ec7e85bf857b]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: received Vendor ID payload [Dead Peer Detection]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: Main mode peer ID is ID_FQDN: '@Connection1-ASA.global.sdl.corp'
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #3: the peer proposed: 172.21.8.0/24:0/0 -> 10.100.0.0/16:0/0
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: responding to Quick Mode proposal {msgid:b23b46bc}
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4:     us: 172.21.8.0/24===172.21.8.43[52.17.237.123]
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4:   them: 87.213.46.220<87.213.46.220>[@Connection1-ASA.global.sdl.corp]===10.100.0.0/16
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 24 13:35:58 gateway3 pluto[31154]: "Connection1/1x1" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x22ef875d <0x409dd686 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
 
Thanks,
Prakash
 

This message has been scanned for malware by Websense. www.websense.com
_______________________________________________
Users at lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
 

Click here to report this email as spam.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150902/a4588990/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 460 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150902/a4588990/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.jpg
Type: image/jpeg
Size: 460 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20150902/a4588990/attachment-0003.jpg>


More information about the Users mailing list