[Openswan Users] Fwd: Re: Connection to Huawei VRP

Samir Hussain shussain at xelerance.com
Thu Nov 3 08:38:52 EDT 2016


Rescued from the spam bucket.  Please remember to subscribe to the
mailing list before posting to it.



-------- Forwarded Message --------
Subject: 	Re: [Openswan Users] Connection to Huawei VRP
Date: 	Thu, 03 Nov 2016 12:00:27 +0000
From: 	Daniel Cave <dan.cave at icloud.com>
To: 	Ian Barnes <ian.lidtech at gmail.com>
CC: 	Samir Hussain <shussain at xelerance.com>, Openswan List
<users at lists.openswan.org>



Hi Ian..

I spent quite a lot of time last year with getting OpenSwan working with
a Cisco VPN concentrator working based on what initially appeared to be
a straight forward Ipsec lan to lan connection..

Some of the things i’ve learned about IPSec and network vendors is that
inter-op is an issue as all vendors treat some of the setups differently.

Looking at the PasteBin logs I’ve seen a number of Phase 1/IKE issues
which i previously ran into.

1. do your peer IP’s match ? - the logs mention something in the IKE
about the External IP existing or missing.

 1.
    Nov  2 2016 16:21:12.70.6 Huawei-Host IKE/7/DEBUG:Slot=1/3,Vcpu=0;
     checking externalIP && 1...
 2.
    <Huawei-Host>undo ter
 3.
    Nov  2 2016 16:21:12.70.7 Huawei-Host
    IKE/7/DEBUG:Slot=1/3,Vcpu=0;exchange establish phase1: exchange for
    peer "externalIP" already exist
 4.
    <Huawei-Host>undo ter
 5.
    Nov  2 2016 16:21:12.70.8 Huawei-Host
    IKE/7/DEBUG:Slot=1/3,Vcpu=0;release transport: transport 74b17430
    had 1 references
 6.
    <Huawei-Host>undo ter
 7.
    Nov  2 2016 16:21:12.70.9 Huawei-Host
    IKE/7/DEBUG:Slot=1/3,Vcpu=0;release transport:: freeing 74b17430
 8.
    <Huawei-Host>undo termin
 9.
    <Huawei-Host>undo terminal moni
10.
    <Huawei-Host>undo terminal monitor
11.
    <Huawei-Host>undo terminal monitor
12.
    Nov  2 2016 16:21:22.120.1 Huawei-Host
    IKE/7/DEBUG:Slot=1/3,Vcpu=0;pf_key_v2_acquire: tos src 0xff dst 0xff
13.
    <Huawei-Host>undo terminal monitor
14.
    Nov  2 2016 16:21:22.120.2 Huawei-Host
    IKE/7/DEBUG:Slot=1/3,Vcpu=0;Check connection: SA for
    externalIP,localid-1-25 missing



2, are they using the correct PSK with the correct IP Address which
you’re presenting via Openswan ?  
3.  I see from the email you sent earlier that they’re looking to
negotiate using 3des-sha1. 

if you do an ipsec status on the box locally you’ll see all the cyphers
and transform sets/algo’s it supports, send them a copy of this in a
rationalised format in xls/ email.  Just to be sure.. I noticed that
when i couldn’t get the cisco to talk to our Openswan box, someone (on
this forum) actually pointed out to me that the racoon daemon should
actually negotiate all the cyphers with my peer from the most secure
through to the least. however most third party boxes won’t accept that
and you have to specify it..  

Have you tried just a straight forward LeftID/ right ID / subnets  -? 

I also noticed you had rekeying  turned off - i would comment that out.
 I’ve never set that, unless your third party has explicitly told you to
turn it off.


It looks to me like there might be a misconfiguration somewhere
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161103/9ca3ae99/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample.config
Type: application/octet-stream
Size: 1860 bytes
Desc: not available
URL: <http://lists.openswan.org/pipermail/users/attachments/20161103/9ca3ae99/attachment-0001.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161103/9ca3ae99/attachment-0003.html>


More information about the Users mailing list