Open abobakrahmed opened 3 years ago
Hi, what version of OSW rae you using? Can you post the content of ipsec barf?
Linux Openswan U2.6.43/K4.14.171-105.231.amzn1.x86_64 (netkey)
On Wed, 15 Jul 2020, Abobakr_Ahmed wrote:
Linux Openswan U2.6.43/K4.14.171-105.231.amzn1.x86_64 (netkey)
Not sure why a version was asked, other than to punt the problem to "please upgrade".
If you have auto=start and the service starts on startup, check the logs for a message on why it fails. grep the logs for "pluto".
Paul
packet from 6.6.6.6:500: ignoring unknown Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9] | find_host_connection2 called from main_inI1_outR1, me=4.4.4.4:500 him=6.6.6.6:500 policy=none | find_host_pair: comparing to 4.4.4.4:500 6.6.6.6:500 | find_host_pair_conn (find_host_connection2): 4.4.4.4:500 6.6.6.6:500 -> hp:my_vpn2/0x1 | started looking for secret for 4.4.4.4->6.6.6.6 of kind PPK_PSK | actually looking for secret for 4.4.4.4->6.6.6.6 of kind PPK_PSK
can destination telnet but when initiate traffic by telnet 1.1.1.1 443
On Wed, 15 Jul 2020, Abobakr_Ahmed wrote:
packet from 196.43.201.208:500: ignoring unknown Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9] | find_host_connection2 called from main_inI1_outR1, me=4.4.4.4:500 him=6.6.6.6:500 policy=none
This is a responding exchange, so has nothing to do with whether your connection starts on boot or not ?
Maybe should more logs and clarify the problem. More likely the connection never works?
Paul
How can get more logs ! works when I start connection by using telnet cmd but when finished this connection , another destination 6.6.6.6 cannot cannot telnet .
The logs will already be there. Check your system on how it handles logs. Eg via /var/log/secure or journalctl etc....
Sent from my iPhone
On Jul 15, 2020, at 16:29, Abobakr_Ahmed notifications@github.com wrote:
How can get more logs ! works when I start connection by using telnet cmd but when finished this connection , another destination 6.6.6.6 cannot cannot telnet .
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; force_encaps: yes 000 "my_vpn3/0x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,8; interface: eth0; 000 "my_vpn3/0x1": dpd: action:clear; delay:0; timeout:0; 000 "my_vpn3/0x1": newest ISAKMP SA: #0; newest IPsec SA: #9; 000 "my_vpn3/0x1": aliases: my_vpn3 000 "my_vpn3/0x1": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict 000 "my_vpn3/0x1": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1024(2) 000 "my_vpn3/0x1": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict 000 "my_vpn3/0x1": ESP algorithms loaded: AES(12)_256-SHA1(2)_160 000 "my_vpn3/0x1": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A>
002 "my_vpn2/0x3" #42: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 004 "my_vpn2/0x3" #42: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536} 002 "my_vpn2/0x3" #42: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x1" #43: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:c6c1e035 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs} 002 "my_vpn2/0x2" #44: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:24dbed3f proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs} 002 "my_vpn2/0x3" #45: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:6d48017b proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs} 117 "my_vpn2/0x1" #43: STATE_QUICK_I1: initiate 117 "my_vpn2/0x2" #44: STATE_QUICK_I1: initiate 117 "my_vpn2/0x3" #45: STATE_QUICK_I1: initiate 002 "my_vpn2/0x3" #45: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x3" #45: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "my_vpn2/0x3" #45: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xafcd430e <0x40b2edb7 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} 002 "my_vpn2/0x1" #43: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x1" #43: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "my_vpn2/0x1" #43: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf74eead5 <0x9fbf8a5d xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none} 002 "my_vpn2/0x2" #44: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it 002 "my_vpn2/0x2" #44: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 004 "my_vpn2/0x2" #44: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xdaa8b71b <0x4b555d19 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
i know this logs is huge but if can help me with any commends , will be appreciate
So that looks like it came up fine ? Was this from system startup or a manual ipsec auto —up command ?
there were some fixes in the subnets= vs subnet= code in libreswan so on openswan perhaps first try with one subnet ?
Sent from my iPhone
On Jul 15, 2020, at 22:06, Abobakr_Ahmed notifications@github.com wrote:
i know this logs is huge but if can help me with any commends , will be appreciate
— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.
ipsec whack --initiate --name my_vpn2 ipsec whack --status ipsec auto --status
Please help me, there was no response when I entered IPSec auto -- up
Hello , have issue with openswan not working as responder execpt initate traffic that's my configuration :
conn my_vpn2 type=tunnel authby=secret auto=start pfs=no auth=esp
Phase1