Issue #2486
Site to Site VPN issue
Affected version:
5.6.1
Resolution:
No feedback
Description
Dears i have a problem with traffic going through my VPN tunnel , as per the ISP the traffic is reaching them and its going back to my site but i cant access through their open port .
the tunnel is up
here is the configuration
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.1, Linux 4.4.0-042stab120.16, x86_64):
uptime: 19 hours, since Dec 04 12:10:04 2017
malloc: sbrk 2555904, mmap 0, used 392144, free 2163760
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses:
104.238.102.71
132.148.15.163
132.148.11.102
Connections:
mtnvpn: 104.238.102.71...196.29.171.33 IKEv1 Aggressive
mtnvpn: local: [104.238.102.71] uses pre-shared key authentication
mtnvpn: remote: [196.29.171.33] uses pre-shared key authentication
mtnvpn: child: 104.238.102.71/32 === 196.29.171.7/32 TUNNEL
Routed Connections:
mtnvpn{1}: ROUTED, TUNNEL, reqid 1
mtnvpn{1}: 104.238.102.71/32 === 196.29.171.7/32
Security Associations (1 up, 0 connecting):
mtnvpn[1]: ESTABLISHED 19 hours ago, 104.238.102.71[104.238.102.71]...196.29.171.33[196.29.171.33]
mtnvpn[1]: IKEv1 SPIs: 7243fb059461ff0f_i* 0475d4607eb6474f_r, pre-shared key reauthentication in 4 hours
mtnvpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
##### Added due MTN VPN ###
config setup
strictcrlpolicy=no
#charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" #useful debugs
#plutodebug=all
#plutostderrlog=/var/log/openswan.log
charondebug="ike 2, knl 3, cfg 0"
conn %default
ikelifetime=1440m
#keylife=60m
#rekeymargin=3m
keyingtries=2
keyexchange=ikev1
authby=psk
type=tunnel
conn mtnvpn
#reauth=no
#rekey=no
aggressive=yes
ike=3des-sha1-modp1024! #Phase1 parameters
esp=3des-sha1 #Phase2 parameters
left=104.238.102.71 #local IP used to connect to MTN
leftsubnet=104.238.102.71/32
leftid=104.238.102.71
#leftfirewall=NO
#leftsourceip=%config #apply received IP
right=196.29.171.33 #gateway (MTN) IP
rightsubnet=196.29.171.7/32
rightid=196.29.171.33
#auto=start
auto=route
######End MTN VPN#####
#ip route show table 220 196.29.171.7 via 104.238.102.254 dev eth0 proto static src 104.238.102.71
Your support is requested about this issue
History
#1 Updated by Tobias Brunner almost 8 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
the tunnel is up
Actually, it's not. Only the IKE_SA is up, there is no CHILD_SA, i.e. no IPsec SA that would transport any data:
Security Associations (1 up, 0 connecting):
mtnvpn[1]: ESTABLISHED 19 hours ago, 104.238.102.71[104.238.102.71]...196.29.171.33[196.29.171.33]
mtnvpn[1]: IKEv1 SPIs: 7243fb059461ff0f_i* 0475d4607eb6474f_r, pre-shared key reauthentication in 4 hours
mtnvpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Check the log for errors during Quick Mode.
#2 Updated by Ibrahim Yosif almost 8 years ago
Dear Tobias
attached is the log
#3 Updated by Ibrahim Yosif almost 8 years ago
Dear Tobias
i found this in the log
Dec 5 02:38:36 s104-238-102-71 charon: 14[IKE] CHILD_SA not found, ignored
how can i solve this issue ?
Dec 5 02:38:36 s104-238-102-71 charon: 13[KNL] received (2) 210: => 60 bytes @ 0x7ff724000a00
Dec 5 02:38:36 s104-238-102-71 charon: 13[KNL] 0: 3C 00 00 00 02 00 00 00 D2 00 00 00 27 7D 00 00 <...........'}..
Dec 5 02:38:36 s104-238-102-71 charon: 13[KNL] 16: FD FF FF FF 28 00 00 00 11 00 05 00 D2 00 00 00 ....(...........
Dec 5 02:38:36 s104-238-102-71 charon: 13[KNL] 32: 27 7D 00 00 C4 1D AB 21 00 00 00 00 00 00 00 00 '}.....!........
Dec 5 02:38:36 s104-238-102-71 charon: 13[KNL] 48: 00 00 00 00 80 BD 6B D5 02 00 32 00 ......k...2.
Dec 5 02:38:36 s104-238-102-71 charon: 13[IKE] activating new tasks
Dec 5 02:38:36 s104-238-102-71 charon: 13[IKE] activating INFORMATIONAL task
Dec 5 02:38:36 s104-238-102-71 charon: 13[ENC] generating INFORMATIONAL_V1 request 3859069726 [ HASH N(NO_PROP) ]
Dec 5 02:38:36 s104-238-102-71 charon: 13[NET] sending packet: from 104.238.102.71[500] to 196.29.171.33[500] (76 bytes)
Dec 5 02:38:36 s104-238-102-71 charon: 13[IKE] activating new tasks
Dec 5 02:38:36 s104-238-102-71 charon: 13[IKE] nothing to initiate
Dec 5 02:38:36 s104-238-102-71 charon: 14[NET] received packet: from 196.29.171.33[500] to 104.238.102.71[500] (76 bytes)
Dec 5 02:38:36 s104-238-102-71 charon: 14[ENC] parsed INFORMATIONAL_V1 request 1389989894 [ HASH D ]
Dec 5 02:38:36 s104-238-102-71 charon: 14[IKE] received DELETE for ESP CHILD_SA with SPI ca773d3a
Dec 5 02:38:36 s104-238-102-71 charon: 14[IKE] CHILD_SA not found, ignored
Dec 5 02:39:01 s104-238-102-71 CRON[32059]: (root) CMD ( [ -x /usr/lib/php/sessionclean ] && /usr/lib/php/sessionclean)
Dec 5 02:39:06 s104-238-102-71 charon: 06[NET] received packet: from 196.29.171.33[500] to 104.238.102.71[500] (164 bytes)
Dec 5 02:39:06 s104-238-102-71 charon: 06[ENC] parsed QUICK_MODE request 2189777095 [ HASH SA No ID ID ]
Dec 5 02:39:06 s104-238-102-71 charon: 06[IKE] received 3600s lifetime, configured 0s
Dec 5 02:39:06 s104-238-102-71 charon: 06[IKE] received 4608000000 lifebytes, configured 0
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] sending XFRM_MSG_ALLOCSPI 211: => 248 bytes @ 0x7ff758d09820
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 0: F8 00 00 00 16 00 01 00 D3 00 00 00 27 7D 00 00 ............'}..
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 64: 00 00 00 00 00 00 00 00 68 EE 66 47 00 00 00 00 ........h.fG....
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00 00 ............2...
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 96: C4 1D AB 21 00 00 00 00 00 00 00 00 00 00 00 00 ...!............
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 224: 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 240: 00 00 00 C0 FF FF FF CF ........
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] received XFRM_MSG_NEWSA 211: => 240 bytes @ 0x7ff720002520
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 0: F0 00 00 00 10 00 00 00 D3 00 00 00 27 7D 00 00 ............'}..
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 16: 68 EE 66 47 00 00 00 00 00 00 00 00 00 00 00 00 h.fG............
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 32: C4 1D AB 21 00 00 00 00 00 00 00 00 00 00 00 00 ...!............
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 48: 00 00 00 00 00 00 00 00 00 00 20 20 00 00 00 00 .......... ....
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 64: 00 00 00 00 00 00 00 00 68 EE 66 47 00 00 00 00 ........h.fG....
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 80: 00 00 00 00 00 00 00 00 C0 CE 21 D6 32 00 00 00 ..........!.2...
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 96: C4 1D AB 21 00 00 00 00 00 00 00 00 00 00 00 00 ...!............
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 144: 00 00 00 00 00 00 00 00 A5 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 192: 3A 69 26 5A 00 00 00 00 00 00 00 00 00 00 00 00 :i&Z............
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] 224: 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:06 s104-238-102-71 charon: 06[KNL] got SPI c0ce21d6
Dec 5 02:39:06 s104-238-102-71 charon: 06[ENC] generating QUICK_MODE response 2189777095 [ HASH SA No ID ID ]
Dec 5 02:39:06 s104-238-102-71 charon: 06[NET] sending packet: from 104.238.102.71[500] to 196.29.171.33[500] (180 bytes)
Dec 5 02:39:06 s104-238-102-71 charon: 05[NET] received packet: from 196.29.171.33[500] to 104.238.102.71[500] (76 bytes)
Dec 5 02:39:06 s104-238-102-71 charon: 05[ENC] parsed INFORMATIONAL_V1 request 955811718 [ HASH D ]
Dec 5 02:39:06 s104-238-102-71 charon: 05[IKE] received DELETE for ESP CHILD_SA with SPI 38379f4d
Dec 5 02:39:06 s104-238-102-71 charon: 05[IKE] CHILD_SA not found, ignored
Dec 5 02:39:07 s104-238-102-71 charon: 08[NET] received packet: from 196.29.171.33[500] to 104.238.102.71[500] (60 bytes)
Dec 5 02:39:07 s104-238-102-71 charon: 08[ENC] parsed QUICK_MODE request 2189777095 [ HASH ]
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] adding SAD entry with SPI c0ce21d6 and reqid {1}
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] using encryption algorithm 3DES_CBC with key size 192
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] using replay window of 32 packets
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] sending XFRM_MSG_UPDSA 212: => 428 bytes @ 0x7ff7579075f0
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: AC 01 00 00 1A 00 05 00 D4 00 00 00 27 7D 00 00 ............'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 64: 00 00 00 00 00 00 00 00 68 EE 66 47 00 00 00 00 ........h.fG....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 80: 00 00 00 00 00 00 00 00 C0 CE 21 D6 32 00 00 00 ..........!.2...
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 96: C4 1D AB 21 00 00 00 00 00 00 00 00 00 00 00 00 ...!............
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 224: 01 00 00 00 02 00 01 20 20 00 00 00 00 00 00 00 ....... .......
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 240: 60 00 02 00 64 65 73 33 5F 65 64 65 00 00 00 00 `...des3_ede....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 304: 00 00 00 00 C0 00 00 00 D2 9F 70 80 04 7F 39 54 ..........p...9T
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 320: 9C 3D 98 0F 1B F3 5C 32 E6 E8 D4 C2 61 19 47 A5 .=....\2....a.G.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 336: 5C 00 01 00 73 68 61 31 00 00 00 00 00 00 00 00 \...sha1........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 400: 00 00 00 00 A0 00 00 00 74 44 2F 03 18 21 E8 D1 ........tD/..!..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 416: 1F DF 00 7C 6C 19 B5 D6 0A 7D CB 27 ...|l....}.'
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received (2) 212: => 448 bytes @ 0x7ff7140011b0
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: C0 01 00 00 02 00 00 00 D4 00 00 00 27 7D 00 00 ............'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: A3 FF FF FF AC 01 00 00 1A 00 05 00 D4 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 27 7D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 '}..............
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 68 EE 66 47 ............h.fG
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 96: 00 00 00 00 00 00 00 00 00 00 00 00 C0 CE 21 D6 ..............!.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 112: 32 00 00 00 C4 1D AB 21 00 00 00 00 00 00 00 00 2......!........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 128: 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 144: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 160: FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 240: 00 00 00 00 01 00 00 00 02 00 01 20 20 00 00 00 ........... ...
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 256: 00 00 00 00 60 00 02 00 64 65 73 33 5F 65 64 65 ....`...des3_ede
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 304: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 320: 00 00 00 00 00 00 00 00 C0 00 00 00 D2 9F 70 80 ..............p.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 336: 04 7F 39 54 9C 3D 98 0F 1B F3 5C 32 E6 E8 D4 C2 ..9T.=....\2....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 352: 61 19 47 A5 5C 00 01 00 73 68 61 31 00 00 00 00 a.G.\...sha1....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 416: 00 00 00 00 00 00 00 00 A0 00 00 00 74 44 2F 03 ............tD/.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 432: 18 21 E8 D1 1F DF 00 7C 6C 19 B5 D6 0A 7D CB 27 .!.....|l....}.'
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received netlink error: Protocol not supported (93)
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] unable to add SAD entry with SPI c0ce21d6 (FAILED)
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] adding SAD entry with SPI 23d5b17a and reqid {1}
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] using encryption algorithm 3DES_CBC with key size 192
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] using replay window of 0 packets
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] sending XFRM_MSG_NEWSA 213: => 428 bytes @ 0x7ff7579075f0
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: AC 01 00 00 10 00 05 00 D5 00 00 00 27 7D 00 00 ............'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 64: 00 00 00 00 00 00 00 00 C4 1D AB 21 00 00 00 00 ...........!....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 80: 00 00 00 00 00 00 00 00 23 D5 B1 7A 32 00 00 00 ........#..z2...
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 96: 68 EE 66 47 00 00 00 00 00 00 00 00 00 00 00 00 h.fG............
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 224: 01 00 00 00 02 00 01 00 20 00 00 00 00 00 00 00 ........ .......
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 240: 60 00 02 00 64 65 73 33 5F 65 64 65 00 00 00 00 `...des3_ede....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 304: 00 00 00 00 C0 00 00 00 CE 1C B3 82 87 C3 C0 B1 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 320: E3 75 15 EC 4D 9E EC E1 A7 97 20 2E A9 0E 12 C3 .u..M..... .....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 336: 5C 00 01 00 73 68 61 31 00 00 00 00 00 00 00 00 \...sha1........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 400: 00 00 00 00 A0 00 00 00 BA 33 42 EE BE 03 18 37 .........3B....7
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 416: B7 93 A8 6C C4 A2 AE 4A 29 87 8F 97 ...l...J)...
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received (2) 213: => 448 bytes @ 0x7ff7140012c0
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: C0 01 00 00 02 00 00 00 D5 00 00 00 27 7D 00 00 ............'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: A3 FF FF FF AC 01 00 00 10 00 05 00 D5 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 27 7D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 '}..............
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 80: 00 00 00 00 00 00 00 00 00 00 00 00 C4 1D AB 21 ...............!
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 96: 00 00 00 00 00 00 00 00 00 00 00 00 23 D5 B1 7A ............#..z
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 112: 32 00 00 00 68 EE 66 47 00 00 00 00 00 00 00 00 2...h.fG........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 128: 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 144: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 160: FF FF FF FF 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 240: 00 00 00 00 01 00 00 00 02 00 01 00 20 00 00 00 ............ ...
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 256: 00 00 00 00 60 00 02 00 64 65 73 33 5F 65 64 65 ....`...des3_ede
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 304: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 320: 00 00 00 00 00 00 00 00 C0 00 00 00 CE 1C B3 82 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 336: 87 C3 C0 B1 E3 75 15 EC 4D 9E EC E1 A7 97 20 2E .....u..M..... .
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 352: A9 0E 12 C3 5C 00 01 00 73 68 61 31 00 00 00 00 ....\...sha1....
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 416: 00 00 00 00 00 00 00 00 A0 00 00 00 BA 33 42 EE .............3B.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 432: BE 03 18 37 B7 93 A8 6C C4 A2 AE 4A 29 87 8F 97 ...7...l...J)...
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received netlink error: Protocol not supported (93)
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] unable to add SAD entry with SPI 23d5b17a (FAILED)
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] deleting policy 196.29.171.7/32 === 104.238.102.71/32 in
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] policy still used by another CHILD_SA, not removed
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] not updating policy 196.29.171.7/32 === 104.238.102.71/32 in [priority 367232, refcount 1]
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] deleting policy 196.29.171.7/32 === 104.238.102.71/32 fwd
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] policy still used by another CHILD_SA, not removed
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] not updating policy 196.29.171.7/32 === 104.238.102.71/32 fwd [priority 367232, refcount 1]
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] deleting SAD entry with SPI c0ce21d6
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] sending XFRM_MSG_DELSA 214: => 40 bytes @ 0x7ff7579076f0
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: 28 00 00 00 11 00 05 00 D6 00 00 00 27 7D 00 00 (...........'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: 68 EE 66 47 00 00 00 00 00 00 00 00 00 00 00 00 h.fG............
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: C0 CE 21 D6 02 00 32 00 ..!...2.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received (2) 214: => 36 bytes @ 0x7ff714000a30
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: 24 00 00 00 02 00 00 00 D6 00 00 00 27 7D 00 00 $...........'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: 00 00 00 00 28 00 00 00 11 00 05 00 D6 00 00 00 ....(...........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 27 7D 00 00 '}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] deleted SAD entry with SPI c0ce21d6
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] deleting SAD entry with SPI 23d5b17a
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] sending XFRM_MSG_DELSA 215: => 40 bytes @ 0x7ff7579076f0
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: 28 00 00 00 11 00 05 00 D7 00 00 00 27 7D 00 00 (...........'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: C4 1D AB 21 00 00 00 00 00 00 00 00 00 00 00 00 ...!............
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 23 D5 B1 7A 02 00 32 00 #..z..2.
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received (2) 215: => 60 bytes @ 0x7ff714000a30
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 0: 3C 00 00 00 02 00 00 00 D7 00 00 00 27 7D 00 00 <...........'}..
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 16: FD FF FF FF 28 00 00 00 11 00 05 00 D7 00 00 00 ....(...........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 32: 27 7D 00 00 C4 1D AB 21 00 00 00 00 00 00 00 00 '}.....!........
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] 48: 00 00 00 00 23 D5 B1 7A 02 00 32 00 ....#..z..2.
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] queueing QUICK_DELETE task
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] activating new tasks
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] activating QUICK_DELETE task
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI 23d5b17a
Dec 5 02:39:07 s104-238-102-71 charon: 08[ENC] generating INFORMATIONAL_V1 request 407166023 [ HASH D ]
Dec 5 02:39:07 s104-238-102-71 charon: 08[NET] sending packet: from 104.238.102.71[500] to 196.29.171.33[500] (76 bytes)
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] activating new tasks
Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] nothing to initiate
#4 Updated by Tobias Brunner almost 8 years ago
i found this in the log
Dec 5 02:38:36 s104-238-102-71 charon: 14[IKE] CHILD_SA not found, ignoredhow can i solve this issue ?
That's not the issue. This is:
Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] received netlink error: Protocol not supported (93) Dec 5 02:39:07 s104-238-102-71 charon: 08[KNL] unable to add SAD entry with SPI 23d5b17a (FAILED) Dec 5 02:39:07 s104-238-102-71 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Looks like a problem with your kernel (e.g. missing modules).
#5 Updated by Ibrahim Yosif almost 8 years ago
Dear Tobias
i checked by lsmod and i cant see any modules running ,
- lsmod
Module Size Used by #
should i rebuild my kernel ?
#6 Updated by Tobias Brunner almost 8 years ago
i checked by lsmod and i cant see any modules running ,
- lsmod
Module Size Used by #
Do you have the modules compiled into the kernel? Then that would be normal I guess. Otherwise try loading modules e.g. with insmod or modprobe.
should i rebuild my kernel ?
Did you build it yourself? Then check how you built it (with/without optional module support, are all required modules enabled).
#7 Updated by Ibrahim Yosif almost 8 years ago
Dear Tobias
i tried with insmod and modprobe but no success .
No i didn't do it by myself.
#8 Updated by Tobias Brunner almost 8 years ago
i tried with insmod and modprobe but no success .
No i didn't do it by myself.
What kind of platform/distribution/kernel are you using?
#9 Updated by Ibrahim Yosif almost 8 years ago
Dear Tobias
its Linux Ubuntu
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
kernel version : 4.4.0-042stab120.16
#10 Updated by Tobias Brunner almost 8 years ago
Seems you might be on an OpenVZ virtualized host. Kernel-based IPsec only works there if setup properly. As an alternative you could try switching to userland IPsec that relies on TUN devices, but make sure you read that page thoroughly and take note of the limitations.
#11 Updated by Tobias Brunner over 7 years ago
- Category set to kernel
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No feedback