[Openswan Users] Connection to Huawei VRP
Ian Barnes
ian.lidtech at gmail.com
Sun Oct 30 14:43:29 EDT 2016
Hi All,
First, many thanks to Samir for the assistance so far - but i've hit
another wall and need some more assistance. Upon instruction from the
company im connecting to I set the leftid and rightid to what they
configured but am now getting the following logs:
http://pastebin.com/ddfLM29C
My config now looks as follows:
conn host-prd
##### Local
left=externalIP
leftid=@LEFTID
leftsubnet=externalIP/32
leftnexthop=%defaultroute
##### Remote
right=RIGHTIP/ID
rightid=RIGHTIP/ID
rightsubnets={172.25.48.43/32 172.25.48.36/32}
rightnexthop=%defaultroute
##### Auth Options
authby=secret
rekey=no
##### Phase 1
ike=3des-sha1-modp1024
ikelifetime="14400"
##### Phase 2
esp=3des-sha1
keylife="3600"
pfs=no
##### Connection Options
type=tunnel
auto=start
compress=no
disablearrivalcheck=no
dpddelay=10
dpdtimeout=30
dpdaction=restart
My secrets as follows
# cat /etc/ipsec.d/ipsec.secrets
@LEFTID RIGHTIP/ID: PSK "PSKHERE"
I see this line in the logs:
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
I assume this to mean the PSK failed? From what I can see thats not because
it didnt match on my end, they are rejecting the PSK correct?
The remote party provided the following logs:
Oct 27 2016 14:39:24.660.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Enter
m_responder_recv_ID_AUTH
[HOST-diagnose]
Oct 27 2016 14:39:24.670.1 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;recv ID: find
ike peer by ID failed !
[HOST-diagnose]
Oct 27 2016 14:39:24.670.2 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;Leave
m_responder_recv_ID_AUTH: recv_ID run err!
Oct 27 2016 14:39:54.680.20 HOST IKE/7/DEBUG:Slot=1/2,Vcpu=0;check message
duplicate: dropping dup
Looking at the second line it appears to be a configuration error on their
end correct?
Regards
Ian
On Tue, Oct 25, 2016 at 8:31 AM, Ian Barnes <ian.lidtech at gmail.com> wrote:
> Hey Samir,
>
> Many many thanks for the quick response, helping me out hugely here!
>
> I have contacted the provider to ask what the ID is that they are
> expecting, hopefully I get some joy :)
>
> Will keep you posted on resolution thanks!
>
> Regards
> Ian
>
> On Mon, Oct 24, 2016 at 11:10 PM, Samir Hussain <shussain at xelerance.com>
> wrote:
>
>> Hello Ian,
>> Thank you for providing a paste bin link. It was very helpful.
>>
>> Your issue seems to be with your id. In your original ipsec.conf, I
>> did not see a leftid or a rightid. If you have added them, please be
>> sure to:
>>
>> 1) Have the same leftid and rightid in your secrets file (normally
>> /etc/ipsec.secrets)
>> 2) Have the same id as what the remote peer expects.
>>
>> Samir
>>
>> On 2016-10-24 04:07 PM, Ian Barnes wrote:
>> > Hi Samir,
>> >
>> > Thanks so much for the response - very much appreciated. I've made the
>> > changes you suggested and have had zero joy. Here are the
>> > logs: http://pastebin.com/tycfF6JN. The only thing I can see is this:
>> >
>> > got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
>> > | ***parse ISAKMP Notification Payload:
>> > | next payload type: ISAKMP_NEXT_NONE
>> > | length: 12
>> > | DOI: ISAKMP_DOI_IPSEC
>> > | protocol ID: 1
>> > | SPI size: 0
>> > | Notify Message Type: INVALID_ID_INFORMATION
>> > | removing 4 bytes of padding
>> > "host-prd/0x2" #1: ignoring informational payload, type
>> > INVALID_ID_INFORMATION msgid=00000000
>> > | info:
>> > | processing informational INVALID_ID_INFORMATION (18)
>> > "host-prd/0x2" #1: received and ignored informational message
>> > | complete state transition with STF_IGNORE
>> > | * processed 0 messages from cryptographic helpers
>> > | next event EVENT_RETRANSMIT in 10 seconds for #3
>> > | next event EVENT_RETRANSMIT in 10 seconds for #3
>> >
>> > But I cant find much about that error.
>> >
>> > Any ideas?
>> >
>> > Cheers
>> > Ian
>> >
>> >
>> > On Mon, Oct 24, 2016 at 9:53 PM, Samir Hussain <shussain at xelerance.com
>> > <mailto:shussain at xelerance.com>> wrote:
>> >
>> > One quick question: You have explicitly set pfs to no. Does the
>> other
>> > side not expect PFS? what happens if you enable PFS?
>> >
>> > Samir
>> >
>> > On 2016-10-24 12:17 PM, Samir Hussain wrote:
>> > > Hello,
>> > > A couple of comments:
>> > > * ikelifetime and phasetime do not need to be quoted
>> > > * is your leftsourceip the same as the IP assigned to left? If it
>> is,
>> > > then you can remove leftsourceip
>> > > * keyexchange and aut=esp should be removed
>> > >
>> > > If you are still experiencing problems, what do the logs show?
>> You can
>> > > enable it by adding the following in "config setup" section:
>> > >
>> > > plutodebug="control parsing"
>> > > plutostderrlog=/var/log/ipsec.log
>> > >
>> > > Samir
>> > >
>> > > On 2016-10-23 03:33 PM, Ian Barnes wrote:
>> > >> Hi,
>> > >>
>> > >> I am having trouble setting up a connection to a provider (and am
>> > also
>> > >> running into delays getting logs from them) so I was wondering if
>> > anyone
>> > >> can spot a glaring error or point me in the possible right
>> > direction as
>> > >> to why my tunnel isnt coming up.
>> > >>
>> > >> First off - the connection details (as provided by the remote
>> party):
>> > >> *Remote:*
>> > >> Remote Device: Huawei VRP
>> > >> Auth Method: Pre-Shared Key
>> > >> Encryption: IKE
>> > >> IKE PFS: 3DES
>> > >> IKE Encryption Algorithm: SHA1
>> > >> IKE Hashing Algorithm: Group 2 (1024)
>> > >> IKE SA Lifetime: 14400
>> > >> Transform (IPSec Protocol): IKE
>> > >> IPSEC Perfect Forward Secrecy: ESP
>> > >> IPSEC Encryption Algorithm: 3DES
>> > >> IPSEC Hashing Algorithm: SHA1
>> > >> IPSEC SA Lifetime: 3600
>> > >> Hosts: 172.25.48.43, 172.25.48.36
>> > >>
>> > >> Here is my config:
>> > >> *[root at server ~]# cat /etc/ipsec.conf*
>> > >> # /etc/ipsec.conf - Openswan IPsec configuration file
>> > >> version2.0# conforms to second version of ipsec.conf
>> specification
>> > >>
>> > >> # basic configuration
>> > >> config setup
>> > >> nat_traversal=yes
>> > >> virtual_private=%v:10.0.0.0/16 <http://10.0.0.0/16>
>> > <http://10.0.0.0/16>
>> > >> protostack=netkey
>> > >> interfaces=%defaultroute
>> > >> klipsdebug=none
>> > >> plutodebug=none
>> > >> plutowait=no
>> > >> uniqueids=yes
>> > >> include /etc/ipsec.d/*.conf
>> > >>
>> > >> *[root at server ~]# cat /etc/ipsec.d/host-prd.conf*
>> > >>
>> > ###########################################################
>> ############
>> > >> # VPN to HOST
>> > >> #
>> > >> #remoteEndPoint/32 (Production) externalIP/32
>> > >> #
>> > >> conn host-prd
>> > >> ##### Local
>> > >> left=externalIP
>> > >> leftsourceip=externalIP
>> > >> leftsubnet=externalIP/32
>> > >> leftnexthop=%defaultroute
>> > >>
>> > >> ##### Remote
>> > >> right=remoteEndPoint
>> > >> rightsubnets={172.25.48.43/32 <http://172.25.48.43/32>
>> > <http://172.25.48.43/32>
>> > >> 172.25.48.36/32 <http://172.25.48.36/32> <http://172.25.48.36/32
>> >}
>> > >> rightnexthop=%defaultroute
>> > >>
>> > >> ##### Auth Options
>> > >> authby=secret
>> > >> rekey=no
>> > >>
>> > >> ##### Phase 1
>> > >> keyexchange=ike
>> > >> ike=3des-sha1-modp1024
>> > >> ikelifetime="14400"
>> > >>
>> > >> ##### Phase 2
>> > >> auth=esp
>> > >> esp=3des-sha1
>> > >> keylife="3600"
>> > >> pfs=no
>> > >>
>> > >> ##### Connection Options
>> > >> type=tunnel
>> > >> auto=start
>> > >> compress=no
>> > >>
>> > >> disablearrivalcheck=no
>> > >> dpddelay=10
>> > >> dpdtimeout=30
>> > >> dpdaction=restart
>> > >>
>> > >>
>> > >> Here are the logs of when I try connect:
>> > >> [root at server ~]# ipsec status
>> > >> 000 using kernel interface: netkey
>> > >> 000 interface lo/lo ::1
>> > >> 000 interface lo/lo 127.0.0.1
>> > >> 000 interface lo/lo 127.0.0.1
>> > >> 000 interface eth0/eth0 externalIP
>> > >> 000 interface eth0/eth0 externalIP
>> > >> 000 interface eth1/eth1 10.0.64.10
>> > >> 000 interface eth1/eth1 10.0.64.10
>> > >> 000 %myid = (none)
>> > >> 000 debug none
>> > >> 000
>> > >> 000 virtual_private (%priv):
>> > >> 000 - allowed 0 subnets:
>> > >> 000 - disallowed 0 subnets:
>> > >> 000 WARNING: Either virtual_private= is not specified, or there
>> > is a syntax
>> > >> 000 error in that line. 'left/rightsubnet=vhost:%priv'
>> > will not
>> > >> work!
>> > >> 000 WARNING: Disallowed subnets in virtual_private= is empty. If
>> > you have
>> > >> 000 private address space in internal use, it should be
>> > excluded!
>> > >> 000
>> > >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>> > keysizemin=192,
>> > >> keysizemax=192
>> > >> 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
>> > keysizemin=128,
>> > >> keysizemax=128
>> > >> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>> > >> keysizemin=40, keysizemax=448
>> > >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
>> > keysizemin=0,
>> > >> keysizemax=0
>> > >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>> > keysizemin=128,
>> > >> keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=22, name=(null), ivlen=8,
>> > keysizemin=128,
>> > >> keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> > >> keysizemin=128, keysizemax=256
>> > >> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> > >> keysizemin=128, keysizemax=128
>> > >> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> > >> keysizemin=160, keysizemax=160
>> > >> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_
>> 256,
>> > >> keysizemin=256, keysizemax=256
>> > >> 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_
>> 384,
>> > >> keysizemin=384, keysizemax=384
>> > >> 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_
>> 512,
>> > >> keysizemin=512, keysizemax=512
>> > >> 000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160,
>> > >> keysizemax=160
>> > >> 000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128,
>> > >> keysizemax=128
>> > >> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
>> > keysizemax=0
>> > >> 000
>> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> > keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> > keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> > keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> > keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> > keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> > keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC,
>> > blocksize=8,
>> > >> keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC,
>> blocksize=8,
>> > >> keydeflen=192
>> > >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC,
>> blocksize=16,
>> > >> keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC,
>> > >> blocksize=16, keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC,
>> > >> blocksize=16, keydeflen=128
>> > >> 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
>> > >> blocksize=16, keydeflen=128
>> > >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> > >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> > >> 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
>> > >> 000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
>> > >> 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
>> > >> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024,
>> > bits=1024
>> > >> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536,
>> > bits=1536
>> > >> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048,
>> > bits=2048
>> > >> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
>> > bits=3072
>> > >> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096,
>> > bits=4096
>> > >> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144,
>> > bits=6144
>> > >> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192,
>> > bits=8192
>> > >> 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22,
>> bits=1024
>> > >> 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23,
>> bits=2048
>> > >> 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24,
>> bits=2048
>> > >> 000
>> > >> 000 stats db_ops: {curr_cnt, total_cnt, maxsz}
>> :context={0,8064,64}
>> > >> trans={0,8064,3072} attrs={0,8064,2048}
>> > >> 000
>> > >> 000 "host-prd/0x1":
>> > >>
>> > externalIP/32===externalIP<externalIP>[+S=C]---defGateway..
>> .defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===172.25.48.43/32
>> > <http://172.25.48.43/32>
>> > >> <http://172.25.48.43/32>; unrouted; eroute owner: #0
>> > >> 000 "host-prd/0x1": myip=externalIP; hisip=unset;
>> > >> 000 "host-prd/0x1": ike_life: 14400s; ipsec_life: 3600s;
>> > rekey_margin:
>> > >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
>> > >> 000 "host-prd/0x1": policy:
>> > >> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
>> > prio:
>> > >> 32,32; interface: eth0;
>> > >> 000 "host-prd/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0;
>> > >> 000 "host-prd/0x1": aliases: host-prd
>> > >> 000 "host-prd/0x1": IKE algorithms wanted:
>> > >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
>> > >> 000 "host-prd/0x1": IKE algorithms found:
>> > >> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>> > >> 000 "host-prd/0x1": ESP algorithms wanted:
>> 3DES(3)_000-SHA1(2)_000
>> > >> 000 "host-prd/0x1": ESP algorithms loaded:
>> 3DES(3)_192-SHA1(2)_160
>> > >> 000 "host-prd/0x2":
>> > >>
>> > externalIP/32===externalIP<externalIP>[+S=C]---defGateway..
>> .defGateway---remoteEndPoint<remoteEndPoint>[+S=C]===172.25.48.36/32
>> > <http://172.25.48.36/32>
>> > >> <http://172.25.48.36/32>; unrouted; eroute owner: #0
>> > >> 000 "host-prd/0x2": myip=externalIP; hisip=unset;
>> > >> 000 "host-prd/0x2": ike_life: 14400s; ipsec_life: 3600s;
>> > rekey_margin:
>> > >> 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
>> > >> 000 "host-prd/0x2": policy:
>> > >> PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
>> > prio:
>> > >> 32,32; interface: eth0;
>> > >> 000 "host-prd/0x2": newest ISAKMP SA: #7757; newest IPsec SA:
>> #0;
>> > >> 000 "host-prd/0x2": aliases: host-prd
>> > >> 000 "host-prd/0x2": IKE algorithms wanted:
>> > >> 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2)
>> > >> 000 "host-prd/0x2": IKE algorithms found:
>> > >> 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
>> > >> 000 "host-prd/0x2": IKE algorithm newest:
>> > 3DES_CBC_192-SHA1-MODP1024
>> > >> 000 "host-prd/0x2": ESP algorithms wanted:
>> 3DES(3)_000-SHA1(2)_000
>> > >> 000 "host-prd/0x2": ESP algorithms loaded:
>> 3DES(3)_192-SHA1(2)_160
>> > >> 000
>> > >> 000 #8083: "host-prd/0x1":500 STATE_QUICK_I1 (sent QI1, expecting
>> > QR1);
>> > >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate
>> > >> 000 #8082: "host-prd/0x2":500 STATE_QUICK_I1 (sent QI1, expecting
>> > QR1);
>> > >> EVENT_RETRANSMIT in 4s; nodpd; idle; import:admin initiate
>> > >> 000 #7757: "host-prd/0x2":500 STATE_MAIN_I4 (ISAKMP SA
>> established);
>> > >> EVENT_SA_REPLACE_IF_USED in 2380s; newest ISAKMP; nodpd; idle;
>> > >> import:admin initiate
>> > >> 000
>> > >>
>> > >> *Here is an ipsec verify:*
>> > >> [root at server ~]# ipsec verify
>> > >> Checking your system to see if IPsec got installed and started
>> > correctly:
>> > >> Version check and ipsec on-path [OK]
>> > >> Linux Openswan U2.6.32/K2.6.32-504.16.2.el6.x86_64 (netkey)
>> > >> Checking for IPsec support in kernel [OK]
>> > >> SAref kernel support [N/A]
>> > >> NETKEY: Testing for disabled ICMP send_redirects [OK]
>> > >> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>> > >> Checking that pluto is running [OK]
>> > >> Pluto listening for IKE on udp 500 [OK]
>> > >> Pluto listening for NAT-T on udp 4500 [OK]
>> > >> Two or more interfaces found, checking IP forwarding [OK]
>> > >> Checking NAT and MASQUERADEing [OK]
>> > >> Checking for 'ip' command [OK]
>> > >> Checking /bin/sh is not /bin/dash [OK]
>> > >> Checking for 'iptables' command [OK]
>> > >> Opportunistic Encryption Support
>> > [DISABLED]
>> > >>
>> > >> Any ideas would be very welcome! Apologies if i'm missing
>> something
>> > >> silly - i think i cant see the wood for the trees at the moment!
>> > >>
>> > >> Regards
>> > >> Ian
>> > >>
>> > >>
>> > >>
>> > >> _______________________________________________
>> > >> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>> > >> https://lists.openswan.org/mailman/listinfo/users
>> > <https://lists.openswan.org/mailman/listinfo/users>
>> > >> Micropayments:
>> > https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> > <https://flattr.com/thing/38387/IPsec-for-Linux-made-easy>
>> > >> Building and Integrating Virtual Private Networks with Openswan:
>> > >>
>> > http://www.amazon.com/gp/product/1904811256/104-3099591-
>> 2946327?n=283155
>> > <http://www.amazon.com/gp/product/1904811256/104-3099591-
>> 2946327?n=283155>
>> > >>
>> >
>> >
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20161030/ff56a44d/attachment-0001.html>
More information about the Users
mailing list