Project

General

Profile

Issue #3505

keep getting Error when connecting google cloud server to my Cisco ASA

Added by Ibrahim Gullam about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.7.2
Resolution:

Description

root@imart-linux ibragullam]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1127.13.1.el7.x86_64, x86_64):
  uptime: 3 hours, since Jul 05 13:02:21 2020
  malloc: sbrk 1724416, mmap 0, used 625376, free 1099040
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 19
  loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constrain
ts acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc 
cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim 
eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xa
uth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
  10.128.0.8
Connections:
imart-to-ASA5500:  %any...41.204.128.170  IKEv1, dpddelay=300s
imart-to-ASA5500:   local:  [34.71.172.92] uses pre-shared key authentication
imart-to-ASA5500:   remote: [41.204.128.170] uses pre-shared key authentication
imart-to-ASA5500:   child:  10.128.0.8/32 === dynamic TUNNEL, dpdaction=clear
add_ASA5500_sub0:  %any...41.204.152.238  IKEv1, dpddelay=300s
add_ASA5500_sub0:   local:  [34.71.172.92] uses pre-shared key authentication
add_ASA5500_sub0:   remote: [41.204.152.238] uses pre-shared key authentication
add_ASA5500_sub0:   child:  10.128.0.8/32 === 41.204.152.238/32[0/10501] TUNNEL, dpdaction=clear
add_ASA5500_sub1:  %any...41.204.152.232  IKEv1, dpddelay=300s
add_ASA5500_sub1:   local:  [34.71.172.92] uses pre-shared key authentication
add_ASA5500_sub1:   remote: [41.204.152.232] uses pre-shared key authentication
add_ASA5500_sub1:   child:  10.128.0.8/32 === 41.204.152.232/32[0/vcom-tunnel] TUNNEL, dpdaction=clear
Security Associations (1 up, 2 connecting):
imart-to-ASA5500[667]: ESTABLISHED 14 seconds ago, 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
imart-to-ASA5500[667]: IKEv1 SPIs: 1ac345a770ba5de9_i* 0711bd6acb769aea_r, rekeying disabled
imart-to-ASA5500[667]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
imart-to-ASA5500[667]: Tasks queued: QUICK_MODE ISAKMP_DPD 
imart-to-ASA5500[667]: Tasks active: MODE_CONFIG 
add_ASA5500_sub1[3]: CONNECTING, 10.128.0.8[%any]...41.204.152.232[%any]
add_ASA5500_sub1[3]: IKEv1 SPIs: e8ee158c44b97ca0_i* 0000000000000000_r
add_ASA5500_sub1[3]: Tasks queued: QUICK_MODE 
add_ASA5500_sub1[3]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD 
add_ASA5500_sub0[2]: CONNECTING, 10.128.0.8[%any]...41.204.152.238[%any]
add_ASA5500_sub0[2]: IKEv1 SPIs: a95e5608ea7ba613_i* 0000000000000000_r
add_ASA5500_sub0[2]: Tasks queued: QUICK_MODE 
add_ASA5500_sub0[2]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD 
github.PNG (200 KB) github.PNG Ibrahim Gullam, 06.07.2020 11:16
picturemessage_ri4uy5hm.3ta.png (56.9 KB) picturemessage_ri4uy5hm.3ta.png Ibrahim Gullam, 06.07.2020 11:19

History

#1 Updated by Tobias Brunner about 1 month ago

  • Description updated (diff)
  • Category set to configuration
  • Status changed from New to Feedback
  • Priority changed from Immediate to Normal

What error? From the status it's difficult to tell what the issue is (in particular, because there are multiple SAs in different states). And you should definitely try to check the remote logs.

Most likely is you configured something incorrectly (e.g. mode config where none is expected, or in the incorrect mode, or invalid quick mode config like traffic selectors).

#3 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

What error? From the status it's difficult to tell what the issue is (in particular, because there are multiple SAs in different states). And you should definitely try to check the remote logs.

Most likely is you configured something incorrectly (e.g. mode config where none is expected, or in the incorrect mode, or invalid quick mode config like traffic selectors).

am keep getting this error on my ASA

#4 Updated by Tobias Brunner about 1 month ago

What does strongSwan log at the time? Does it receive any DPDs? Are you sure you are expected to use mode config?

#5 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

What does strongSwan log at the time? Does it receive any DPDs? Are you sure you are expected to use mode config?

ASA rules are
Authentication Method: Pre-Shared Key
Encryption Scheme: IKE
Diffie-Hellman Group: Group 2
Encryption Algorithm: AES-256
Hashing Algorithm: SHA-1
Main or Aggressive Mode: Main Mode
Lifetime (for renegotiation): 86400 seconds
Encapsulation: ESP
Encryption Algorithm: AES-256

#6 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

What does strongSwan log at the time? Does it receive any DPDs? Are you sure you are expected to use mode config?

  1. basic configuration
    config setup
    charondebug="all"
    uniqueids=yes
  1. connection to asa5500
    conn imart-to-asa5500
    authby=secret
    left=10.128.0.8
    leftid=34.71.172.92
    leftsourceip=%config
    leftsubnet=10.128.0.8/32
    right=41.204.128.170
    ike=aes256-sha1-modp1024! #Phase 1 integrity check algos
    esp=aes256-sha1 #Phase 2 Encryption algos
    aggressive=yes
    keyingtries=%forever
    compress=no
    keyexchange=ikev1
    ikelifetime=1h
    lifetime=4608000s
    dpdtimeout=120
    dpdaction=clear
    dpddelay=300s
    rekey=yes
    left=%any
    type=tunnel
    auto=start
    conn add_asa5500_sub0
    also=imart-to-asa5500
    right=41.204.152.238
    rightsubnet=41.204.152.238/32[0/10501]
    leftid=34.71.172.92
    leftsubnet=10.128.0.8/32
    auto=start
    conn add_asa5500_sub1
    also=imart-to-asa5500
    right=41.204.152.232
    rightsubnet=41.204.152.232/32[0/8001]
    auto=start

#7 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

What does strongSwan log at the time? Does it receive any DPDs? Are you sure you are expected to use mode config?

I am a newbie trying to use strongSwan am using centos 7 what command can should i use to show my strongSwan log at the time?

#8 Updated by Tobias Brunner about 1 month ago

Try without leftsourceip=%config.

#9 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

Try without leftsourceip=%config.

-- Logs begin at Sun 2020-07-05 15:20:03 UTC, end at Mon 2020-07-06 10:17:58 UTC. --
Jul 05 15:20:03 imart-linux charon[14448]: 06[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jul 05 15:20:03 imart-linux charon[14448]: 06[IKE] received Cisco Unity vendor ID
Jul 05 15:20:03 imart-linux charon[14448]: 06[IKE] received XAuth vendor ID
Jul 05 15:20:03 imart-linux charon[14448]: 06[ENC] received unknown vendor ID: 7c:8a:7f:67:8b:72:b4:e6:16:21:74:a4:a8:6f:5a:1b
Jul 05 15:20:03 imart-linux charon[14448]: 06[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Jul 05 15:20:03 imart-linux charon[14448]: 06[IKE] local host is behind NAT, sending keep alives
Jul 05 15:20:03 imart-linux charon[14448]: 06[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jul 05 15:20:03 imart-linux charon[14448]: 06[NET] sending packet: from 10.128.0.8[4500] to 41.204.128.170[4500] (108 bytes)
Jul 05 15:20:03 imart-linux rsyslogd[850]: imjournal: journal reloaded... [v8.24.0-52.el7_8.2 try http://www.rsyslog.com/e/0 ]
Jul 05 15:20:03 imart-linux charon[14448]: 08[NET] received packet: from 41.204.128.170[4500] to 10.128.0.8[4500] (92 bytes)
Jul 05 15:20:03 imart-linux charon[14448]: 08[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Jul 05 15:20:03 imart-linux charon[14448]: 08[IKE] received DPD vendor ID
Jul 05 15:20:03 imart-linux charon[14448]: 08[IKE] IKE_SA imart-to-zantel[416] established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 05 15:20:03 imart-linux charon[14448]: 08[IKE] IKE_SA imart-to-zantel[416] established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 05 15:20:03 imart-linux charon[14448]: 08[ENC] generating TRANSACTION request 1619398289 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]
Jul 05 15:20:03 imart-linux charon[14448]: 08[NET] sending packet: from 10.128.0.8[4500] to 41.204.128.170[4500] (92 bytes)
Jul 05 15:20:03 imart-linux charon[14448]: 09[NET] received packet: from 41.204.128.170[4500] to 10.128.0.8[4500] (92 bytes)
Jul 05 15:20:03 imart-linux charon[14448]: 09[ENC] parsed INFORMATIONAL_V1 request 2876450729 [ HASH N((24576)) ]
Jul 05 15:20:03 imart-linux charon[14448]: 09[IKE] received (24576) notify
Jul 05 15:20:05 imart-linux charon[14448]: 10[IKE] sending retransmit 2 of request message ID 0, seq 1
Jul 05 15:20:05 imart-linux charon[14448]: 10[NET] sending packet: from 10.128.0.8[500] to 41.204.152.238[500] (180 bytes)
Jul 05 15:20:05 imart-linux charon[14448]: 11[IKE] sending retransmit 2 of request message ID 0, seq 1
Jul 05 15:20:05 imart-linux charon[14448]: 11[NET] sending packet: from 10.128.0.8[500] to 41.204.152.232[500] (180 bytes)
Jul 05 15:20:07 imart-linux charon[14448]: 15[IKE] sending retransmit 1 of request message ID 1619398289, seq 4
Jul 05 15:20:07 imart-linux charon[14448]: 15[NET] sending packet: from 10.128.0.8[4500] to 41.204.128.170[4500] (92 bytes)
Jul 05 15:20:14 imart-linux charon[14448]: 05[IKE] sending retransmit 2 of request message ID 1619398289, seq 4
Jul 05 15:20:14 imart-linux charon[14448]: 05[NET] sending packet: from 10.128.0.8[4500] to 41.204.128.170[4500] (92 bytes)
Jul 05 15:20:16 imart-linux charon[14448]: 06[NET] received packet: from 41.204.128.170[4500] to 10.128.0.8[4500] (92 bytes)
Jul 05 15:20:16 imart-linux charon[14448]: 06[ENC] parsed INFORMATIONAL_V1 request 1964633623 [ HASH N(DPD) ]
Jul 05 15:20:18 imart-linux charon[14448]: 07[IKE] sending retransmit 3 of request message ID 0, seq 1
Jul 05 15:20:18 imart-linux charon[14448]: 07[NET] sending packet: from 10.128.0.8[500] to 41.204.152.238[500] (180 bytes)
Jul 05 15:20:18 imart-linux charon[14448]: 08[IKE] sending retransmit 3 of request message ID 0, seq 1
Jul 05 15:20:18 imart-linux charon[14448]: 08[NET] sending packet: from 10.128.0.8[500] to 41.204.152.232[500] (180 bytes)
Jul 05 15:20:18 imart-linux charon[14448]: 09[NET] received packet: from 41.204.128.170[4500] to 10.128.0.8[4500] (92 bytes)
Jul 05 15:20:18 imart-linux charon[14448]: 09[ENC] parsed INFORMATIONAL_V1 request 3684268510 [ HASH N(DPD) ]
Jul 05 15:20:20 imart-linux charon[14448]: 10[NET] received packet: from 41.204.128.170[4500] to 10.128.0.8[4500] (92 bytes)
Jul 05 15:20:20 imart-linux charon[14448]: 10[ENC] parsed INFORMATIONAL_V1 request 3482487134 [ HASH N(DPD) ]
Jul 05 15:20:22 imart-linux charon[14448]: 11[NET] received packet: from 41.204.128.170[4500] to 10.128.0.8[4500] (92 bytes)
Jul 05 15:20:22 imart-linux charon[14448]: 11[ENC] parsed INFORMATIONAL_V1 request 1833416847 [ HASH D ]
Jul 05 15:20:22 imart-linux charon[14448]: 11[IKE] received DELETE for IKE_SA imart-to-zantel[416]
Jul 05 15:20:22 imart-linux charon[14448]: 11[IKE] deleting IKE_SA imart-to-zantel[416] between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 05 15:20:22 imart-linux charon[14448]: 11[IKE] deleting IKE_SA imart-to-zantel[416] between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 05 15:20:22 imart-linux charon[14448]: 11[IKE] initiating Main Mode IKE_SA imart-to-zantel[417] to 41.204.128.170

#10 Updated by Tobias Brunner about 1 month ago

That's clearly not without that option as you can still see the main mode request:

Jul 05 15:20:03 imart-linux charon[14448]: 08[ENC] generating TRANSACTION request 1619398289 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]

#11 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

Try without leftsourceip=%config.

after trying without leftsourceip=%config it shows
Security Associations (0 up, 2 connecting):

#12 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

That's clearly not without that option as you can still see the main mode request:

[...]

how can i fix this main mode?

#13 Updated by Tobias Brunner about 1 month ago

That's clearly not without that option as you can still see the main mode request:

[...]

how can i fix this main mode?

That should have been "mode config", not "main mode". Read the log for why it is stuck now.

#14 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

That's clearly not without that option as you can still see the main mode request:

[...]

how can i fix this main mode?

That should have been "mode config", not "main mode". Read the log for why it is stuck now.

Jul 06 10:49:54 imart-linux charon28177: 15[NET] sending packet: from 10.128.0.8500 to 41.204.128.170500 (360 bytes)
Jul 06 10:49:54 imart-linux charon28177: 16[NET] received packet: from 41.204.128.170500 to 10.128.0.8500 (440 bytes)
Jul 06 10:49:54 imart-linux charon28177: 16[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] received Cisco Unity vendor ID
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] received XAuth vendor ID
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] received DPD vendor ID
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] received NAT-T (RFC 3947) vendor ID
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] received FRAGMENTATION vendor ID
Jul 06 10:49:54 imart-linux charon28177: 16[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Jul 06 10:49:54 imart-linux charon28177: 16[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] local host is behind NAT, sending keep alives
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] IKE_SA imart-to-zantel18 established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] IKE_SA imart-to-zantel18 established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] scheduling reauthentication in 2789s
Jul 06 10:49:54 imart-linux charon28177: 16[IKE] maximum IKE_SA lifetime 3329s
Jul 06 10:49:54 imart-linux charon28177: 16[ENC] generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Jul 06 10:49:54 imart-linux charon28177: 16[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (108 bytes)
Jul 06 10:49:54 imart-linux charon28177: 16[ENC] generating TRANSACTION request 671741123 [ HASH CPRQ ]
Jul 06 10:49:54 imart-linux charon28177: 16[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (92 bytes)
Jul 06 10:49:58 imart-linux charon28177: 07[IKE] sending retransmit 1 of request message ID 671741123, seq 3
Jul 06 10:49:58 imart-linux charon28177: 07[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (92 bytes)

#15 Updated by Tobias Brunner about 1 month ago

Why are you suddenly using Aggressive Mode? And again with Mode Config?

#16 Updated by Ibrahim Gullam about 1 month ago

Tobias Brunner wrote:

Why are you suddenly using Aggressive Mode? And again with Mode Config?

now config aggressive=no

here is the log

Jul 06 11:49:29 imart-linux charon28907: 15[IKE] sending retransmit 4 of request message ID 0, seq 1
Jul 06 11:49:29 imart-linux charon28907: 15[NET] sending packet: from 10.128.0.8500 to 41.204.152.232500 (180 bytes)
Jul 06 11:49:30 imart-linux charon28907: 16[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:30 imart-linux charon28907: 16[ENC] parsed INFORMATIONAL_V1 request 1758743600 [ HASH N(DPD) ]
Jul 06 11:49:32 imart-linux charon28907: 05[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:32 imart-linux charon28907: 05[ENC] parsed INFORMATIONAL_V1 request 70952710 [ HASH N(DPD) ]
Jul 06 11:49:34 imart-linux charon28907: 07[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:34 imart-linux charon28907: 07[ENC] parsed INFORMATIONAL_V1 request 3892596394 [ HASH D ]
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] received DELETE for IKE_SA imart-to-zantel21
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] deleting IKE_SA imart-to-zantel21 between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] deleting IKE_SA imart-to-zantel21 between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] initiating Main Mode IKE_SA imart-to-zantel22 to 41.204.128.170
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] initiating Main Mode IKE_SA imart-to-zantel22 to 41.204.128.170
Jul 06 11:49:34 imart-linux charon28907: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jul 06 11:49:34 imart-linux charon28907: 07[NET] sending packet: from 10.128.0.8500 to 41.204.128.170500 (180 bytes)
Jul 06 11:49:34 imart-linux charon28907: 08[NET] received packet: from 41.204.128.170500 to 10.128.0.8500 (128 bytes)
Jul 06 11:49:34 imart-linux charon28907: 08[ENC] parsed ID_PROT response 0 [ SA V V ]
Jul 06 11:49:34 imart-linux charon28907: 08[IKE] received NAT-T (RFC 3947) vendor ID
Jul 06 11:49:34 imart-linux charon28907: 08[IKE] received FRAGMENTATION vendor ID
Jul 06 11:49:34 imart-linux charon28907: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 06 11:49:34 imart-linux charon28907: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 06 11:49:34 imart-linux charon28907: 08[NET] sending packet: from 10.128.0.8500 to 41.204.128.170500 (244 bytes)
Jul 06 11:49:34 imart-linux charon28907: 09[NET] received packet: from 41.204.128.170500 to 10.128.0.8500 (304 bytes)
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jul 06 11:49:34 imart-linux charon28907: 09[IKE] received Cisco Unity vendor ID
Jul 06 11:49:34 imart-linux charon28907: 09[IKE] received XAuth vendor ID
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] received unknown vendor ID: 73:22:93:7a:93:69:2f:f8:ab:71:b0:e8:62:9c:66:02
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Jul 06 11:49:34 imart-linux charon28907: 09[IKE] local host is behind NAT, sending keep alives
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jul 06 11:49:34 imart-linux charon28907: 09[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (108 bytes)
Jul 06 11:49:35 imart-linux charon28907: 11[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:35 imart-linux charon28907: 11[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] received DPD vendor ID
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] IKE_SA imart-to-zantel22 established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] IKE_SA imart-to-zantel22 established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] scheduling reauthentication in 2602s
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] maximum IKE_SA lifetime 3142s
Jul 06 11:49:35 imart-linux charon28907: 11[ENC] generating TRANSACTION request 4158043130 [ HASH CPRQ ]
Jul 06 11:49:35 imart-linux charon28907: 11[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (92 bytes)
Jul 06 11:49:39 imart-linux charon28907: 15[IKE] sending retransmit 1 of request message ID 4158043130, seq 4
Jul 06 11:49:39 imart-linux charon28907: 15[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (92 bytes)
~

#17 Updated by Tobias Brunner about 1 month ago

This is still with leftsourceip=%config:

Jul 06 11:49:35 imart-linux charon[28907]: 11[ENC] generating TRANSACTION request 4158043130 [ HASH CPRQ(ADDR DNS U_SPLITINC U_LOCALLAN) ]

As you can see from the retransmits, that's not what the peer expects, so remove that option.

#18 Updated by Ibrahim Gullam about 1 month ago

Ibrahim Gullam wrote:

Tobias Brunner wrote:

Why are you suddenly using Aggressive Mode? And again with Mode Config?

now config aggressive=no

here is the log

Jul 06 11:49:29 imart-linux charon28907: 15[IKE] sending retransmit 4 of request message ID 0, seq 1
Jul 06 11:49:29 imart-linux charon28907: 15[NET] sending packet: from 10.128.0.8500 to 41.204.152.232500 (180 bytes)
Jul 06 11:49:30 imart-linux charon28907: 16[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:30 imart-linux charon28907: 16[ENC] parsed INFORMATIONAL_V1 request 1758743600 [ HASH N(DPD) ]
Jul 06 11:49:32 imart-linux charon28907: 05[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:32 imart-linux charon28907: 05[ENC] parsed INFORMATIONAL_V1 request 70952710 [ HASH N(DPD) ]
Jul 06 11:49:34 imart-linux charon28907: 07[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:34 imart-linux charon28907: 07[ENC] parsed INFORMATIONAL_V1 request 3892596394 [ HASH D ]
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] received DELETE for IKE_SA imart-to-zantel21
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] deleting IKE_SA imart-to-zantel21 between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] deleting IKE_SA imart-to-zantel21 between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] initiating Main Mode IKE_SA imart-to-zantel22 to 41.204.128.170
Jul 06 11:49:34 imart-linux charon28907: 07[IKE] initiating Main Mode IKE_SA imart-to-zantel22 to 41.204.128.170
Jul 06 11:49:34 imart-linux charon28907: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jul 06 11:49:34 imart-linux charon28907: 07[NET] sending packet: from 10.128.0.8500 to 41.204.128.170500 (180 bytes)
Jul 06 11:49:34 imart-linux charon28907: 08[NET] received packet: from 41.204.128.170500 to 10.128.0.8500 (128 bytes)
Jul 06 11:49:34 imart-linux charon28907: 08[ENC] parsed ID_PROT response 0 [ SA V V ]
Jul 06 11:49:34 imart-linux charon28907: 08[IKE] received NAT-T (RFC 3947) vendor ID
Jul 06 11:49:34 imart-linux charon28907: 08[IKE] received FRAGMENTATION vendor ID
Jul 06 11:49:34 imart-linux charon28907: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 06 11:49:34 imart-linux charon28907: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 06 11:49:34 imart-linux charon28907: 08[NET] sending packet: from 10.128.0.8500 to 41.204.128.170500 (244 bytes)
Jul 06 11:49:34 imart-linux charon28907: 09[NET] received packet: from 41.204.128.170500 to 10.128.0.8500 (304 bytes)
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jul 06 11:49:34 imart-linux charon28907: 09[IKE] received Cisco Unity vendor ID
Jul 06 11:49:34 imart-linux charon28907: 09[IKE] received XAuth vendor ID
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] received unknown vendor ID: 73:22:93:7a:93:69:2f:f8:ab:71:b0:e8:62:9c:66:02
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Jul 06 11:49:34 imart-linux charon28907: 09[IKE] local host is behind NAT, sending keep alives
Jul 06 11:49:34 imart-linux charon28907: 09[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jul 06 11:49:34 imart-linux charon28907: 09[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (108 bytes)
Jul 06 11:49:35 imart-linux charon28907: 11[NET] received packet: from 41.204.128.1704500 to 10.128.0.84500 (92 bytes)
Jul 06 11:49:35 imart-linux charon28907: 11[ENC] parsed ID_PROT response 0 [ ID HASH V ]
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] received DPD vendor ID
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] IKE_SA imart-to-zantel22 established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] IKE_SA imart-to-zantel22 established between 10.128.0.8[34.71.172.92]...41.204.128.170[41.204.128.170]
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] scheduling reauthentication in 2602s
Jul 06 11:49:35 imart-linux charon28907: 11[IKE] maximum IKE_SA lifetime 3142s
Jul 06 11:49:35 imart-linux charon28907: 11[ENC] generating TRANSACTION request 4158043130 [ HASH CPRQ ]
Jul 06 11:49:35 imart-linux charon28907: 11[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (92 bytes)
Jul 06 11:49:39 imart-linux charon28907: 15[IKE] sending retransmit 1 of request message ID 4158043130, seq 4
Jul 06 11:49:39 imart-linux charon28907: 15[NET] sending packet: from 10.128.0.84500 to 41.204.128.1704500 (92 bytes)
~

Tobias Brunner wrote:

Why are you suddenly using Aggressive Mode? And again with Mode Config?

Tobias Brunner wrote:

That's clearly not without that option as you can still see the main mode request:

[...]

how can i fix this main mode?

That should have been "mode config", not "main mode". Read the log for why it is stuck now.

after remove leftsourceip=%config

strongswan statusall

Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1127.13.1.el7.x86_64, x86_64):
uptime: 9 seconds, since Jul 06 11:54:21 2020
malloc: sbrk 1724416, mmap 0, used 609184, free 1115232
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
10.128.0.8
Connections:
imart-to-zantel: %any...41.204.128.170 IKEv1, dpddelay=300s
imart-to-zantel: local: [34.71.172.92] uses pre-shared key authentication
imart-to-zantel: remote: [41.204.128.170] uses pre-shared key authentication
imart-to-zantel: child: 10.128.0.8/32 === dynamic TUNNEL, dpdaction=clear
add_zantel_sub0: %any...41.204.152.238 IKEv1, dpddelay=300s
add_zantel_sub0: local: [34.71.172.92] uses pre-shared key authentication
add_zantel_sub0: remote: [41.204.152.238] uses pre-shared key authentication
add_zantel_sub0: child: 10.128.0.8/32 === 41.204.152.238/32[0/10501] TUNNEL, dpdaction=clear
add_zantel_sub1: %any...41.204.152.232 IKEv1, dpddelay=300s
add_zantel_sub1: local: [34.71.172.92] uses pre-shared key authentication
add_zantel_sub1: remote: [41.204.152.232] uses pre-shared key authentication
add_zantel_sub1: child: 10.128.0.8/32 === 41.204.152.232/32[0/vcom-tunnel] TUNNEL, dpdaction=clear
Security Associations (0 up, 2 connecting):
add_zantel_sub13: CONNECTING, 10.128.0.8[%any]...41.204.152.232[%any]
add_zantel_sub13: IKEv1 SPIs: e33c2253f6739d97_i* 0000000000000000_r
add_zantel_sub13: Tasks queued: QUICK_MODE
add_zantel_sub13: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
add_zantel_sub02: CONNECTING, 10.128.0.8[%any]...41.204.152.238[%any]
add_zantel_sub02: IKEv1 SPIs: 8c48f3f25d1afb11_i* 0000000000000000_r
add_zantel_sub02: Tasks queued: QUICK_MODE
add_zantel_sub02: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
[root@imart-linux ibragullam]#

Also available in: Atom PDF