Issue #2758
Updated by Tobias Brunner almost 7 years ago
Hello,
we have this scenario:
Side A - FW Juniper srx240h2
Side B - Instance server on AWS Amazon ( Centos 7 - StrongSwan 5.6.3)
We setup strongswan and, it seams, up tunnel but cannot "installed".
Here our configuration:
<pre>
* /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=28800
keylife=3600
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
conn predaufood
left=192.168.2.9
leftid=34.241.220.61
leftsubnet=192.168.2.9/32
leftfirewall=yes
right=213.192.193.25
rightsubnet=10.166.0.0/20
auto=start
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
</pre>
we attach charcon.log where we can find this error:
IKE_SA checkout not successful
*strongswan statusall:
First moment:
<pre>
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-862.11.6.el7.x86_64, x86_64):
uptime: 55 seconds, since Sep 12 18:17:45 2018
malloc: sbrk 2809856, mmap 0, used 620384, free 2189472
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
192.168.2.9
Connections:
predaufood: 192.168.2.9...213.192.193.25 IKEv1
predaufood: local: [34.241.220.61] uses pre-shared key authentication
predaufood: remote: [213.192.193.25] uses pre-shared key authentication
predaufood: child: 192.168.2.9/32 === 10.166.0.0/20 TUNNEL
Security Associations (1 up, 1 connecting):
predaufood[4]: ESTABLISHED 11 seconds ago, 192.168.2.9[34.241.220.61]...213.192.193.25[213.192.193.25]
predaufood[4]: IKEv1 SPIs: 251dc8ac7dc4ea88_i ea26d43cc4f7a479_r*, pre-shared key reauthentication in 7 hours
predaufood[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
predaufood[1]: CONNECTING, 192.168.2.9[34.241.220.61]...213.192.193.25[%any]
predaufood[1]: IKEv1 SPIs: 65f4f6bd2b4b9b87_i* cc4e75f36155ecfe_r
predaufood[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
predaufood[1]: Tasks queued: QUICK_MODE
predaufood[1]: Tasks active: ISAKMP_VENDOR MAIN_MODE
</pre>
After few minutes:
<pre>
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-862.11.6.el7.x86_64, x86_64):
uptime: 12 minutes, since Sep 12 18:17:46 2018
malloc: sbrk 2809856, mmap 0, used 617552, free 2192304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 48
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
192.168.2.9
Connections:
predaufood: 192.168.2.9...213.192.193.25 IKEv1
predaufood: local: [34.241.220.61] uses pre-shared key authentication
predaufood: remote: [213.192.193.25] uses pre-shared key authentication
predaufood: child: 192.168.2.9/32 === 10.166.0.0/20 TUNNEL
Security Associations (1 up, 0 connecting):
predaufood[24]: ESTABLISHED 23 seconds ago, 192.168.2.9[34.241.220.61]...213.192.193.25[213.192.193.25]
predaufood[24]: IKEv1 SPIs: 13343ccf4d1c77a4_i 7ea438993b29df4d_r*, pre-shared key reauthentication in 7 hours
predaufood[24]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
</pre>
What could be the problem?
Thanks for avance.
Regards,
José Antonio Chao
we have this scenario:
Side A - FW Juniper srx240h2
Side B - Instance server on AWS Amazon ( Centos 7 - StrongSwan 5.6.3)
We setup strongswan and, it seams, up tunnel but cannot "installed".
Here our configuration:
<pre>
* /etc/strongswan/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
conn %default
ikelifetime=28800
keylife=3600
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev1
mobike=no
conn predaufood
left=192.168.2.9
leftid=34.241.220.61
leftsubnet=192.168.2.9/32
leftfirewall=yes
right=213.192.193.25
rightsubnet=10.166.0.0/20
auto=start
esp=aes256-sha1!
ike=aes256-sha1-modp1024!
</pre>
we attach charcon.log where we can find this error:
IKE_SA checkout not successful
*strongswan statusall:
First moment:
<pre>
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-862.11.6.el7.x86_64, x86_64):
uptime: 55 seconds, since Sep 12 18:17:45 2018
malloc: sbrk 2809856, mmap 0, used 620384, free 2189472
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
192.168.2.9
Connections:
predaufood: 192.168.2.9...213.192.193.25 IKEv1
predaufood: local: [34.241.220.61] uses pre-shared key authentication
predaufood: remote: [213.192.193.25] uses pre-shared key authentication
predaufood: child: 192.168.2.9/32 === 10.166.0.0/20 TUNNEL
Security Associations (1 up, 1 connecting):
predaufood[4]: ESTABLISHED 11 seconds ago, 192.168.2.9[34.241.220.61]...213.192.193.25[213.192.193.25]
predaufood[4]: IKEv1 SPIs: 251dc8ac7dc4ea88_i ea26d43cc4f7a479_r*, pre-shared key reauthentication in 7 hours
predaufood[4]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
predaufood[1]: CONNECTING, 192.168.2.9[34.241.220.61]...213.192.193.25[%any]
predaufood[1]: IKEv1 SPIs: 65f4f6bd2b4b9b87_i* cc4e75f36155ecfe_r
predaufood[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
predaufood[1]: Tasks queued: QUICK_MODE
predaufood[1]: Tasks active: ISAKMP_VENDOR MAIN_MODE
</pre>
After few minutes:
<pre>
Status of IKE charon daemon (strongSwan 5.6.3, Linux 3.10.0-862.11.6.el7.x86_64, x86_64):
uptime: 12 minutes, since Sep 12 18:17:46 2018
malloc: sbrk 2809856, mmap 0, used 617552, free 2192304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 48
loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
192.168.2.9
Connections:
predaufood: 192.168.2.9...213.192.193.25 IKEv1
predaufood: local: [34.241.220.61] uses pre-shared key authentication
predaufood: remote: [213.192.193.25] uses pre-shared key authentication
predaufood: child: 192.168.2.9/32 === 10.166.0.0/20 TUNNEL
Security Associations (1 up, 0 connecting):
predaufood[24]: ESTABLISHED 23 seconds ago, 192.168.2.9[34.241.220.61]...213.192.193.25[213.192.193.25]
predaufood[24]: IKEv1 SPIs: 13343ccf4d1c77a4_i 7ea438993b29df4d_r*, pre-shared key reauthentication in 7 hours
predaufood[24]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
</pre>
What could be the problem?
Thanks for avance.
Regards,
José Antonio Chao