[Openswan Users] Connection to Huawei VRP
Ian Barnes
ian.lidtech at gmail.com
Wed Nov 2 16:35:39 EDT 2016
Hi Samir / All,
I've got a breakdown of the configs from the remote end:
ACL name LOCALID
rule permit ip source 172.25.48.43 0 destination 10.0.64.66 0
rule permit ip source 172.25.48.36 0 destination 10.0.64.66
rule permit ip source 172.25.48.43 0 destination 10.0.64.1
rule permit ip source 172.25.48.36 0 destination 10.0.64.1
rule permit ip source 172.25.48.43 0 destination 10.0.64.10
rule permit ip source 172.25.48.36 0 destination 10.0.64.10
rule permit ip source 172.25.48.43 0 destination 10.0.64.201
rule permit ip source 172.25.48.36 0 destination 10.0.64.201
Ike Proposal 10
encryption-algorithm 3des
authentication-algorithm md5
dh-group2
sa duration 28800
ike peer LOCALID
pre-shared key "SOMEPSKHERE"
ike-proposal 10
remote-address externalIP
remote-id LOCALID
Local-id-type ip
ipsec proposal LOCALID
encapsulation-mode tunnel
esp authentication-algorithm sha1
esp encryption-algorithm 3des
ipsec policy LOCALID 1 isakmp
security acl name LOCALID
ike-peer LOCALID
proposal LOCALID
sa duration time-based 3600
interface Tunnel 0/0/41
ip address remoteIDIP 255.255.255.255
tunnel-protocol ipsec
ipsec policy LOCALID
ip route-static 10.0.64.136 255.255.255.255 Tunnel0/0/41 externalIP
ip route-static 10.0.64.1 255.255.255.255 Tunnel0/0/41 externalIP
ip route-static 10.0.64.10 255.255.255.255 Tunnel0/0/41 externalIP
ip route-static 10.0.64.201 255.255.255.255 Tunnel0/0/41 externalIP
ip route-static 10.0.64.137 255.255.255.255 Tunnel0/0/41 externalIP
ip route-static 10.0.64.66 255.255.255.255 Tunnel0/0/41 externalIP
And here are the remote Huawei logs: http://pastebin.com/G90q7Aed
Any ideas as to what could be wrong would be great - quite stuck at the
moment! (I've made the adjustment to my end for the md5 for IKE instead of
sha1 as original).
Regards
Ian
On Wed, Nov 2, 2016 at 9:42 AM Ian Barnes <ian.lidtech at gmail.com> wrote:
> Hey Samir,
>
> Thanks for the help - i've gone back to them asking for more logs on their
> end to try figure out what is happening.
>
> Regards
> Ian
>
> On Tue, Nov 1, 2016 at 10:25 PM Samir Hussain <shussain at xelerance.com>
> wrote:
>
> Hello Ian,
> It certainly looks like that there is a misconfiguration on the remote
> side.
>
> In addition to confirming the parameters at the remote end, I would
> check if they are allowing IKEv1 connections.
>
>
> Samir
>
>
> On 2016-10-30 02:43 PM, Ian Barnes wrote:
> > Hi All,
> >
> > First, many thanks to Samir for the assistance so far - but i've hit
> > another wall and need some more assistance. Upon instruction from the
> > company im connecting to I set the leftid and rightid to what they
> > configured but am now getting the following
> > logs: http://pastebin.com/ddfLM29C
> >
> > My config now looks as follows:
> > conn host-prd
> > ##### Local
> > left=externalIP
> > leftid=@LEFTID
> > leftsubnet=externalIP/32
> > leftnexthop=%defaultroute
> >
> > ##### Remote
> > right=RIGHTIP/ID
> > rightid=RIGHTIP/ID
> > rightsubnets={172.25.48.43/32 <http://172.25.48.43/32>
> > 172.25.48.36/32 <http://172.25.48.36/32>}
> > rightnexthop=%defaultroute
> >
> > ##### Auth Options
> > authby=secret
> > rekey=no
> >
> > ##### Phase 1
> > ike=3des-sha1-modp1024
> > ikelifetime="14400"
> >
> > ##### Phase 2
> > esp=3des-sha1
> > keylife="3600"
> > pfs=no
> >
> > ##### Connection Options
> > type=tunnel
> > auto=start
> > compress=no
> >
> > disablearrivalcheck=no
> > dpddelay=10
> > dpdtimeout=30
> > dpdaction=restart
> >
> > My secrets as follows
> >
> > # cat /etc/ipsec.d/ipsec.secrets
> > @LEFTIDRIGHTIP/ID: PSK "PSKHERE"
> >
> > I see this line in the logs:
> > | inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
> >
> > I assume this to mean the PSK failed? From what I can see thats not
> > because it didnt match on my end, they are rejecting the PSK correct?
> >
> > The remote party provided the following logs:
> > Oct 27 2016 14:39:24.660.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Enter
> > m_responder_recv_ID_AUTH
> > [HOST-diagnose]
> > Oct 27 2016 14:39:24.670.1 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;recv ID:
> > find ike peer by ID failed !
> > [HOST-diagnose]
> > Oct 27 2016 14:39:24.670.2 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Leave
> > m_responder_recv_ID_AUTH: recv_ID run err!
> > Oct 27 2016 14:39:54.680.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;check
> > message duplicate: dropping dup
> >
> > Looking at the second line it appears to be a configuration error on
> > their end correct?
> >
> > Regards
> > Ian
> >
> >
> > On Tue, Oct 25, 2016 at 8:31 AM, Ian Barnes <ian.lidtech at gmail.com
> > <mailto:ian.lidtech at gmail.com>> wrote:
> >
> > Hey Samir,
> >
> > Many many thanks for the quick response, helping me out hugely here!
> >
> > I have contacted the provider to ask what the ID is that they are
> > expecting, hopefully I get some joy :)
> >
> > Will keep you posted on resolution thanks!
> >
> > Regards
> > Ian
> >
> > On Mon, Oct 24, 2016 at 11:10 PM, Samir Hussain
> > <shussain at xelerance.com <mailto:shussain at xelerance.com>> wrote:
> >
> > Hello Ian,
> > Thank you for providing a paste bin link. It was very helpful.
> >
> > Your issue seems to be with your id. In your original
> > ipsec.conf, I
> > did not see a leftid or a rightid. If you have added them,
> please be
> > sure to:
> >
> > 1) Have the same leftid and rightid in your secrets file
> (normally
> > /etc/ipsec.secrets)
> > 2) Have the same id as what the remote peer expects.
> >
> > Samir
> >
> > On 2016-10-24 04:07 PM, Ian Barnes wrote:
> > > Hi Samir,
> > >
> > > Thanks so much for the response - very much appreciated. I've
> > made the
> > > changes you suggested and have had zero joy. Here are the
> > > logs: http://pastebin.com/tycfF6JN. The only thing I can see
> > is this:
> > >
> > > got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
> > > | ***parse ISAKMP Notification Payload:
> > > | next payload type: ISAKMP_NEXT_NONE
> > > | length: 12
> > > | DOI: ISAKMP_DOI_IPSEC
> > > | protocol ID: 1
> > > | SPI size: 0
> > > | Notify Message Type: INVALID_ID_INFORMATION
> > > | removing 4 bytes of padding
> > > "host-prd/0x2" #1: ignoring informational payload, type
> > > INVALID_ID_INFORMATION msgid=00000000
> > > | info:
> > > | processing informational INVALID_ID_INFORMATION (18)
> > > "host-prd/0x2" #1: received and ignored informational message
> > > | complete state transition with STF_IGNORE
> > > | * processed 0 messages from cryptographic helpers
> > > | next event EVENT_RETRANSMIT in 10 seconds for #3
> > > | next event EVENT_RETRANSMIT in 10 seconds for #3
> > >
> > > But I cant find much about that error.
> > >
> > > Any ideas?
> > >
> > > Cheers
> > > Ian
> > >
> > >
> > > On Mon, Oct 24, 2016 at 9:53 PM, Samir Hussain
> > <shussain at xelerance.com <mailto:shussain at xelerance.com>
> > > <mailto:shussain at xelerance.com
> > <mailto:shussain at xelerance.com>>> wrote:
> > >
> > > One quick question: You have explicitly set pfs to no.
> > Does the other
> > > side not expect PFS? what happens if you enable PFS?
> > >
> > > Samir
> > >
> > > On 2016-10-24 12:17 PM, Samir Hussain wrote:
> > > > Hello,
> > > > A couple of comments:
> > > > * ikelifetime and phasetime do not need to be quoted
> > > > * is your leftsourceip the same as the IP assigned to
> > left? If it is,
> > > > then you can remove leftsourceip
> > > > * keyexchange and aut=esp should be removed
> > > >
> > > > If you are still experiencing problems, what do the logs
> > show? You can
> > > > enable it by adding the following in "config setup"
> section:
> > > >
> > > > plutodebug="control parsing"
> > > > plutostderrlog=/var/log/ipsec.log
> > > >
> > > > Samir
> > > >
> > > > On 2016-10-23 03:33 PM, Ian Barnes wrote:
> > > >> Hi,
> > > >>
> > > >> I am having trouble setting up a connection to a
> > provider (and am
> > > also
> > > >> running into delays getting logs from them) so I was
> > wondering if
> > > anyone
> > > >> can spot a glaring error or point me in the possible
> right
> > > direction as
> > > >> to why my tunnel isnt coming up.
> > > >>
> > > >> First off - the connection details (as provided by the
> > remote party):
> > > >> *Remote:*
> > > >> Remote Device: Huawei VRP
> > > >> Auth Method: Pre-Shared Key
> > > >> Encryption: IKE
> > > >> IKE PFS: 3DES
> > > >> IKE Encryption Algorithm: SHA1
> > > >> IKE Hashing Algorithm: Group 2 (1024)
> > > >> IKE SA Lifetime: 14400
> > > >> Transform (IPSec Protocol): IKE
> > > >> IPSEC Perfect Forward Secrecy: ESP
> > > >> IPSEC Encryption Algorithm: 3DES
> > > >> IPSEC Hashing Algorithm: SHA1
> > > >> IPSEC SA Lifetime: 3600
> > > >> Hosts: 172.25.48.43, 172.25.48.36
> > > >>
> > > >> Here is my config:
> > > >> *[root at server ~]# cat /etc/ipsec.conf*
> > > >> # /etc/ipsec.conf - Openswan IPsec configuration file
> > > >> version2.0# conforms to second version of ipsec.conf
> > specification
> > > >>
> > > >> # basic configuration
> > > >> config setup
> > > >> nat_traversal=yes
> > > >> virtual_private=%v:10.0.0.0/16 <http://10.0.0.0/16>
> > <http://10.0.0.0/16>
> > > <http://10.0.0.0/16>
> > > >> protostack=netkey
> > > >> interfaces=%defaultroute
> > > >> klipsdebug=none
> > > >> plutodebug=none
> > > >> plutowait=no
> > > >> uniqueids=yes
> > > >> include /etc/ipsec.d/*.conf
> > > >>
> > > >> *[root at server ~]# cat /etc/ipsec.d/host-prd.conf*
> > > >>
> > >
> >
> #######################################################################
> > > >> # VPN to HOST
> > > >> #
> > > >> #remoteEndPoint/32 (Production)
> externalIP/32
> > > >> #
> > > >> conn host-prd
> > > >> ##### Local
> > > >> left=externalIP
> > > >> leftsourceip=externalIP
> > > >> leftsubnet=externalIP/32
> > > >> leftnexthop=%defaultroute
> > > >>
> > > >> ##### Remote
> > > >> right=remoteEndPoint
> > > >> rightsubnets={172.25.48.43/32
> > <http://172.25.48.43/32> <http://172.25.48.43/32>
> > > <http://172.25.48.43/32>
> > > >> 172.25.48.36/32 <http://172.25.48.36/32>
> > <http://172.25.48.36/32> <http://172.25.48.36/32>}
> > > >> rightnexthop=%defaultroute
> > > >>
> > > >> ##### Auth Options
> > > >> authby=secret
> > > >> rekey=no
> > > >>
> > > >> ##### Phase 1
> > > >> keyexchange=ike
> > > >> ike=3des-sha1-modp1024
> > > >> ikelifetime="14400"
> > > >>
> > > >> ##### Phase 2
> > > >> auth=esp
> > > >> esp=3des-sha1
> > > >> keylife="3600"
> > > >> pfs=no
> > > >>
> > > >> ##### Connection Options
> > > >> type=tunnel
> > > >> auto=start
> > > >> compress=no
> > > >>
> > > >> disablearrivalcheck=no
> > > >> dpddelay=10
> > > >> dpdtimeout=30
> > > >> dpdaction=restart
> > > >>
> > > >>
> > > >> Here are the logs of when I try connect:
> > > >> [root at server ~]# ipsec status
> > > >> 000 using kernel interface: netkey
> > > >> 000 interface lo/lo ::1
> > > >> 000 interface lo/lo 127.0.0.1
> > > >> 000 interface lo/lo 127.0.0.1
> > > >> 000 interface eth0/eth0 externalIP
> > > >> 000 interface eth0/eth0 externalIP
> > > >> 000 interface eth1/eth1 10.0.64.10
> > > >> 000 interface eth1/eth1 10.0.64.10
> > > >> 000 %myid = (none)
> > > >> 000 debug none
> > > >> 000
> > > >> 000 virtual_private (%priv):
> > > >> 000 - allowed 0 subnets:
> > > >> 000 - disallowed 0 subnets:
> > > >> 000 WARNING: Either virtual_private= is not specified,
> > or there
> > > is a syntax
> > > >> 000 error in that line.
> > 'left/rightsubnet=vhost:%priv'
> > > will not
> > > >> work!
> > > >> 000 WARNING: Disallowed subnets in virtual_private= is
> > empty. If
> > > you have
> > > >> 000 private address space in internal use, it
> > should be
> > > excluded!
> > > >> 000
> > > >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> > > keysizemin=192,
> > > >> keysizemax=192
> > > >> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
> > > keysizemin=128,
> > > >> keysizemax=128
> > > >> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH,
> > ivlen=8,
> > > >> keysizemin=40, keysizemax=448
> > > >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL,
> ivlen=0,
> > > keysizemin=0,
> > > >> keysizemax=0
> > > >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> > > keysizemin=128,
> > > >> keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR,
> > ivlen=8,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A,
> > ivlen=8,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B,
> > ivlen=12,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C,
> > ivlen=16,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A,
> > ivlen=8,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B,
> > ivlen=12,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C,
> > ivlen=16,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
> > > keysizemin=128,
> > > >> keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT,
> > ivlen=8,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH,
> > ivlen=8,
> > > >> keysizemin=128, keysizemax=256
> > > >> 000 algorithm ESP auth attr: id=1,
> > name=AUTH_ALGORITHM_HMAC_MD5,
> > > >> keysizemin=128, keysizemax=128
> > > >> 000 algorithm ESP auth attr: id=2,
> > name=AUTH_ALGORITHM_HMAC_SHA1,
> > > >> keysizemin=160, keysizemax=160
> > > >> 000 algorithm ESP auth attr: id=5,
> > name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > > >> keysizemin=256, keysizemax=256
> > > >> 000 algorithm ESP auth attr: id=6,
> > name=AUTH_ALGORITHM_HMAC_SHA2_384,
> > > >> keysizemin=384, keysizemax=384
> > > >> 000 algorithm ESP auth attr: id=7,
> > name=AUTH_ALGORITHM_HMAC_SHA2_512,
> > > >> keysizemin=512, keysizemax=512
> > > >> 000 algorithm ESP auth attr: id=8, name=(null),
> > keysizemin=160,
> > > >> keysizemax=160
> > > >> 000 algorithm ESP auth attr: id=9, name=(null),
> > keysizemin=128,
> > > >> keysizemax=128
> > > >> 000 algorithm ESP auth attr: id=251, name=(null),
> > keysizemin=0,
> > > keysizemax=0
> > > >> 000
> > > >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> > > keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> > > keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> > > keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> > > keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> > > keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=0, name=(null),
> blocksize=16,
> > > keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=3,
> name=OAKLEY_BLOWFISH_CBC,
> > > blocksize=8,
> > > >> keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
> > blocksize=8,
> > > >> keydeflen=192
> > > >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
> > blocksize=16,
> > > >> keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=65004,
> > name=OAKLEY_SERPENT_CBC,
> > > >> blocksize=16, keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=65005,
> > name=OAKLEY_TWOFISH_CBC,
> > > >> blocksize=16, keydeflen=128
> > > >> 000 algorithm IKE encrypt: id=65289,
> > name=OAKLEY_TWOFISH_CBC_SSH,
> > > >> blocksize=16, keydeflen=128
> > > >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5,
> hashsize=16
> > > >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1,
> hashsize=20
> > > >> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256,
> > hashsize=32
> > > >> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384,
> > hashsize=48
> > > >> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512,
> > hashsize=64
> > > >> 000 algorithm IKE dh group: id=2,
> > name=OAKLEY_GROUP_MODP1024,
> > > bits=1024
> > > >> 000 algorithm IKE dh group: id=5,
> > name=OAKLEY_GROUP_MODP1536,
> > > bits=1536
> > > >> 000 algorithm IKE dh group: id=14,
> > name=OAKLEY_GROUP_MODP2048,
> > > bits=2048
> > > >> 000 algorithm IKE dh group: id=15,
> > name=OAKLEY_GROUP_MODP3072,
> > > bits=3072
> > > >> 000 algorithm IKE dh group: id=16,
> > name=OAKLEY_GROUP_MODP4096,
> > > bits=4096
> > > >> 000 algorithm IKE dh group: id=17,
> > name=OAKLEY_GROUP_MODP6144,
> > > bits=6144
> > > >> 000 algorithm IKE dh group: id=18,
> > name=OAKLEY_GROUP_MODP8192,
> > > bits=8192
> > > >> 000 algorithm IKE dh group: id=22,
> > name=OAKLEY_GROUP_DH22, bits=1024
> > > >> 000 algorithm IKE dh group: id=23,
> > name=OAKLEY_GROUP_DH23, bits=2048
> > > >> 000 algorithm IKE dh group: id=24,
> > name=OAKLEY_GROUP_DH24, bits=2048
> > > >> 000
> > > >> 000 stats db_ops: {curr_cnt, total_cnt, maxsz}
> > :context={0,8064,64}
> > > >> trans={0,8064,3072} attrs={0,8064,2048}
> > > >> 000
> > > >> 000 "host-prd/0x1":
> > > >>
> > >
> >
> externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===
> 172.25.48.43/32
> > <http://172.25.48.43/32>
> > > <http://172.25.48.43/32>
> > > >> <http://172.25.48.43/32>; unrouted; eroute owner: #0
> > > >> 000 "host-prd/0x1": myip=externalIP; hisip=unset;
> > > >> 000 "host-prd/0x1": ike_life: 14400s; ipsec_life:
> 3600s;
> > > rekey_margin:
> > > >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive:
> yes
> > > >> 000 "host-prd/0x1": policy:
> > > >>
> > PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> > > prio:
> > > >> 32,32; interface: eth0;
> > > >> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest
> > IPsec SA: #0;
> > > >> 000 "host-prd/0x1": aliases: host-prd
> > > >> 000 "host-prd/0x1": IKE algorithms wanted:
> > > >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
> > > >> 000 "host-prd/0x1": IKE algorithms found:
> > > >> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> > > >> 000 "host-prd/0x1": ESP algorithms wanted:
> > 3DES(3)_000-SHA1(2)_000
> > > >> 000 "host-prd/0x1": ESP algorithms loaded:
> > 3DES(3)_192-SHA1(2)_160
> > > >> 000 "host-prd/0x2":
> > > >>
> > >
> >
> externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===
> 172.25.48.36/32
> > <http://172.25.48.36/32>
> > > <http://172.25.48.36/32>
> > > >> <http://172.25.48.36/32>; unrouted; eroute owner: #0
> > > >> 000 "host-prd/0x2": myip=externalIP; hisip=unset;
> > > >> 000 "host-prd/0x2": ike_life: 14400s; ipsec_life:
> 3600s;
> > > rekey_margin:
> > > >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive:
> yes
> > > >> 000 "host-prd/0x2": policy:
> > > >>
> > PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> > > prio:
> > > >> 32,32; interface: eth0;
> > > >> 000 "host-prd/0x2": newest ISAKMP SA: #7757; newest
> > IPsec SA: #0;
> > > >> 000 "host-prd/0x2": aliases: host-prd
> > > >> 000 "host-prd/0x2": IKE algorithms wanted:
> > > >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
> > > >> 000 "host-prd/0x2": IKE algorithms found:
> > > >> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
> > > >> 000 "host-prd/0x2": IKE algorithm newest:
> > > 3DES_CBC_192-SHA1-MODP1024
> > > >> 000 "host-prd/0x2": ESP algorithms wanted:
> > 3DES(3)_000-SHA1(2)_000
> > > >> 000 "host-prd/0x2": ESP algorithms loaded:
> > 3DES(3)_192-SHA1(2)_160
> > > >> 000
> > > >> 000 #8083: "host-prd/0x1":500 STATE_QUICK_I1 (sent QI1,
> > expecting
> > > QR1);
> > > >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin
> initiate
> > > >> 000 #8082: "host-prd/0x2":500 STATE_QUICK_I1 (sent QI1,
> > expecting
> > > QR1);
> > > >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin
> initiate
> > > >> 000 #7757: "host-prd/0x2":500 STATE_MAIN_I4 (ISAKMP SA
> > established);
> > > >> EVENT_SA_REPLACE_IF_USED in 2380s; newest ISAKMP;
> > nodpd; idle;
> > > >> import:admin initiate
> > > >> 000
> > > >>
> > > >> *Here is an ipsec verify:*
> > > >> [root at server ~]# ipsec verify
> > > >> Checking your system to see if IPsec got installed and
> > started
> > > correctly:
> > > >> Version check and ipsec on-path
> > [OK]
> > > >> Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64
> (netkey)
> > > >> Checking for IPsec support in kernel
> > [OK]
> > > >> SAref kernel support
> > [N/A]
> > > >> NETKEY: Testing for disabled ICMP send_redirects
> > [OK]
> > > >> NETKEY detected, testing for disabled ICMP
> > accept_redirects [OK]
> > > >> Checking that pluto is running
> > [OK]
> > > >> Pluto listening for IKE on udp 500
> > [OK]
> > > >> Pluto listening for NAT-T on udp 4500
> > [OK]
> > > >> Two or more interfaces found, checking IP forwarding
> > [OK]
> > > >> Checking NAT and MASQUERADEing
> > [OK]
> > > >> Checking for 'ip' command
> > [OK]
> > > >> Checking /bin/sh is not /bin/dash
> > [OK]
> > > >> Checking for 'iptables' command
> > [OK]
> > > >> Opportunistic Encryption Support
> > > [DISABLED]
> > > >>
> > > >> Any ideas would be very welcome! Apologies if i'm
> > missing something
> > > >> silly - i think i cant see the wood for the trees at
> > the moment!
> > > >>
> > > >> Regards
> > > >> Ian
> > > >>
> > > >>
> > > >>
> > > >> _______________________________________________
> > > >> Users at lists.openswan.org
> > <mailto:Users at lists.openswan.org>
> > <mailto:Users at lists.openswan.org <mailto:
> Users at lists.openswan.org>>
> > > >> https://lists.openswan.org/mailman/listinfo/users
> > <https://lists.openswan.org/mailman/listinfo/users>
> > > <https://lists.openswan.org/mailman/listinfo/users
> > <https://lists.openswan.org/mailman/listinfo/users>>
> > > >> Micropayments:
> > > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
> > > <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>>
> > > >> Building and Integrating Virtual Private Networks with
> Openswan:
> > > >>
> > >
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > <
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>
> > >
> > <
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> > <
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155>>
> > > >>
> > >
> > >
> >
> >
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161102/6579205e/attachment-0001.html>
More information about the Users
mailing list