[Openswan Users] Connection to Huawei VRP
Ian Barnes
ian.lidtech at gmail.com
Sun Oct 23 15:33:03 EDT 2016
Hi,
I am having trouble setting up a connection to a provider (and am also
running into delays getting logs from them) so I was wondering if anyone
can spot a glaring error or point me in the possible right direction as to
why my tunnel isnt coming up.
First off - the connection details (as provided by the remote party):
*Remote:*
Remote Device: Huawei VRP
Auth Method: Pre-Shared Key
Encryption: IKE
IKE PFS: 3DES
IKE Encryption Algorithm: SHA1
IKE Hashing Algorithm: Group 2 (1024)
IKE SA Lifetime: 14400
Transform (IPSec Protocol): IKE
IPSEC Perfect Forward Secrecy: ESP
IPSEC Encryption Algorithm: 3DES
IPSEC Hashing Algorithm: SHA1
IPSEC SA Lifetime: 3600
Hosts: 172.25.48.43, 172.25.48.36
Here is my config:
*[root at server ~]# cat /etc/ipsec.conf*
# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
nat_traversal=yes
virtual_private=%v:10.0.0.0/16
protostack=netkey
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutowait=no
uniqueids=yes
include /etc/ipsec.d/*.conf
*[root at server ~]# cat /etc/ipsec.d/host-prd.conf*
#######################################################################
# VPN to HOST
#
#remoteEndPoint/32 (Production) externalIP/32
#
conn host-prd
##### Local
left=externalIP
leftsourceip=externalIP
leftsubnet=externalIP/32
leftnexthop=%defaultroute
##### Remote
right=remoteEndPoint
rightsubnets={172.25.48.43/32 172.25.48.36/32}
rightnexthop=%defaultroute
##### Auth Options
authby=secret
rekey=no
##### Phase 1
keyexchange=ike
ike=3des-sha1-modp1024
ikelifetime="14400"
##### Phase 2
auth=esp
esp=3des-sha1
keylife="3600"
pfs=no
##### Connection Options
type=tunnel
auto=start
compress=no
disablearrivalcheck=no
dpddelay=10
dpdtimeout=30
dpdaction=restart
Here are the logs of when I try connect:
[root at server ~]# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 externalIP
000 interface eth0/eth0 externalIP
000 interface eth1/eth1 10.0.64.10
000 interface eth1/eth1 10.0.64.10
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= is not specified, or there is a syntax
000 error in that line. 'left/rightsubnet=vhost:%priv' will not
work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160,
keysizemax=160
000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128,
keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8064,64}
trans={0,8064,3072} attrs={0,8064,2048}
000
000 "host-prd/0x1":
externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===
172.25.48.43/32; unrouted; eroute owner: #0
000 "host-prd/0x1": myip=externalIP; hisip=unset;
000 "host-prd/0x1": ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "host-prd/0x1": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
32,32; interface: eth0;
000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "host-prd/0x1": aliases: host-prd
000 "host-prd/0x1": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
000 "host-prd/0x1": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "host-prd/0x1": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000
000 "host-prd/0x1": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "host-prd/0x2":
externalIP/32===externalIP<externalIP>[+S=C]---defGateway...defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===
172.25.48.36/32; unrouted; eroute owner: #0
000 "host-prd/0x2": myip=externalIP; hisip=unset;
000 "host-prd/0x2": ike_life: 14400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "host-prd/0x2": policy:
PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio:
32,32; interface: eth0;
000 "host-prd/0x2": newest ISAKMP SA: #7757; newest IPsec SA: #0;
000 "host-prd/0x2": aliases: host-prd
000 "host-prd/0x2": IKE algorithms wanted:
3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
000 "host-prd/0x2": IKE algorithms found:
3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "host-prd/0x2": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "host-prd/0x2": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000
000 "host-prd/0x2": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000
000 #8083: "host-prd/0x1":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate
000 #8082: "host-prd/0x2":500 STATE_QUICK_I1 (sent QI1, expecting QR1);
EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate
000 #7757: "host-prd/0x2":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE_IF_USED in 2380s; newest ISAKMP; nodpd; idle; import:admin
initiate
000
*Here is an ipsec verify:*
[root at server ~]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Any ideas would be very welcome! Apologies if i'm missing something silly -
i think i cant see the wood for the trees at the moment!
Regards
Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161023/3bd04d23/attachment-0001.html>
More information about the Users
mailing list