Virtual Router/ Firewall/ VPN

Reply
Occasional Contributor
Posts: 11
Registered: ‎10-24-2016

Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

Hi ,

 

We enabled IPSEC on vyos between openstack spawned Vyos and Virsh create Vyos

 

All the tunnel comesup and it was working fine for sometime .

 

After host server restarted , tunnel is not coming up frequently .

 

sometime tunnel comes up but remote end tunnel is not pinging

 

Please error snapshot

VPN-IPSEC: "peer-192.168.200.143-tunnel-2" #2: malformed payload in packet
  VPN-IPSEC: "peer-192.168.200.143-tunnel-2" #2: next payload type of ISAKMP Hash Payload has an unknown value: 64
  VPN-IPSEC: "peer-192.168.200.143-tunnel-2" #2: malformed payload in packet
  VPN-IPSEC: "peer-192.168.200.143-tunnel-2" #2: ignoring informational payload, type INVALID_MESSAGE_ID
  VPN-IPSEC: "peer-192.168.200.143-tunnel-2" #2: ignoring informational payload, type INVALID_MESSAGE_ID
  VPN-IPSEC: "peer-192.168.200.143-tunnel-1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x74c60eb5 (perhaps this is a duplicated packet)
  VPN-IPSEC: "peer-192.168.200.143-tunnel-1" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.200.143:500
  VPN-IPSEC: "peer-192.168.200.143-tunnel-1" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x224fcd5f (perhaps this is a duplicated packet)
  VPN-IPSEC: "peer-192.168.200.143-tunnel-1" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.200.143:500

 

Thanks

Jay

Regds
Jayachandran
Occasional Contributor
Posts: 11
Registered: ‎10-24-2016

Re: Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

When tunnel down , i used to get this error and no NAT enabled 

 

VPN-IPSEC: packet from 192.168.200.3:500: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from 192.168.200.3:500: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from 192.168.200.3:500: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from 192.168.200.3:500: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: packet from 192.168.200.3:500: initial Main Mode message received on 192.168.200.143:500 but no connection has been authorized with policy=PSK
VPN-IPSEC: packet from 192.168.200.3:500: received Vendor ID payload [strongSwan]
VPN-IPSEC: packet from 192.168.200.3:500: ignoring Vendor ID payload [Cisco-Unity]
VPN-IPSEC: packet from 192.168.200.3:500: received Vendor ID payload [XAUTH]
VPN-IPSEC: packet from 192.168.200.3:500: received Vendor ID payload [Dead Peer Detection]
VPN-IPSEC: packet from 192.168.200.3:500: initial Main Mode message received on 192.168.200.143:500 but no connection has been authorized with policy=PSK

 

kindly let me know the solution for this 

Regds
Jayachandran
Brocadian
Posts: 17
Registered: ‎06-17-2015

Re: Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

Can you please provide your configs on both sides so we can help you further?

Occasional Contributor
Posts: 11
Registered: ‎10-24-2016

Re: Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

HI ,

Please find the config

Router 1

-------------

set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group16'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '1800'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '16'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'
set vpn ipsec site-to-site peer 192.168.200.143 authentication id '10.0.0.109'
set vpn ipsec site-to-site peer 192.168.200.143 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.200.143 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.200.143 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.200.143 default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 192.168.200.143 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 192.168.200.143 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.200.143 local-address '10.0.0.109'
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 1 local prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 1 remote prefix 60.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 2 local prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 2 remote prefix 70.0.0.0/24

 

Router 2

-------------

set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group16'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '1800'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '16'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'
set vpn ipsec site-to-site peer 192.168.200.143 authentication id '10.0.0.109'
set vpn ipsec site-to-site peer 192.168.200.143 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.200.143 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.200.143 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.200.143 default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 192.168.200.143 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 192.168.200.143 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.200.143 local-address '10.0.0.109'
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 1 local prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 1 remote prefix 60.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 2 local prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 2 remote prefix 70.0.0.0/24

 

And we are suspecting issue due to /etc/ipsec.secrets showing 3 ips (10.0.0.109 192.168.200.243 10.0.0.109 : PSK "secret"

 

kindly do the needful for the solution

 

Thanks

Jay

 

Regds
Jayachandran
Occasional Contributor
Posts: 11
Registered: ‎10-24-2016

Re: Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

Hi ,

Please find the config

Router1

----------

set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group16'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '1800'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '16'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'
set vpn ipsec site-to-site peer 192.168.200.143 authentication id '10.0.0.109'
set vpn ipsec site-to-site peer 192.168.200.143 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 192.168.200.143 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 192.168.200.143 connection-type 'initiate'
set vpn ipsec site-to-site peer 192.168.200.143 default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 192.168.200.143 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 192.168.200.143 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 192.168.200.143 local-address '10.0.0.109'
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 1 local prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 1 remote prefix 60.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 2 local prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 192.168.200.143 tunnel 2 remote prefix 70.0.0.0/24

Router2

----------

set vpn ipsec esp-group ESP-Default compression 'disable'
set vpn ipsec esp-group ESP-Default lifetime '3600'
set vpn ipsec esp-group ESP-Default mode 'tunnel'
set vpn ipsec esp-group ESP-Default pfs 'dh-group16'
set vpn ipsec esp-group ESP-Default proposal 1 encryption 'aes256'
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha256'

 
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear'
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30'
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90'
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no'
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1'
set vpn ipsec ike-group IKE-Default lifetime '1800'
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '16'
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256'
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec logging log-modes 'all'

set vpn ipsec site-to-site peer 10.0.0.109 authentication id '192.168.200.143'
set vpn ipsec site-to-site peer 10.0.0.109 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 10.0.0.109 authentication pre-shared-secret 'secret'
set vpn ipsec site-to-site peer 10.0.0.109 connection-type 'initiate'
set vpn ipsec site-to-site peer 10.0.0.109 default-esp-group 'ESP-Default'
set vpn ipsec site-to-site peer 10.0.0.109 ike-group 'IKE-Default'
set vpn ipsec site-to-site peer 10.0.0.109 ikev2-reauth 'inherit'
set vpn ipsec site-to-site peer 10.0.0.109 local-address '192.168.200.143'
set vpn ipsec site-to-site peer 10.0.0.109 tunnel 1 local prefix 60.0.0.0/24
set vpn ipsec site-to-site peer 10.0.0.109 tunnel 1 remote prefix 50.0.0.0/24
set vpn ipsec site-to-site peer 10.0.0.109 tunnel 2 local prefix 70.0.0.0/24
set vpn ipsec site-to-site peer 10.0.0.109 tunnel 2 remote prefix 50.0.0.0/24

 

ALso /etc/ipsec.secrets showing 3 ip address instead of 2 ip address

 

kindly do the needful

 

Thanks

Jay

 

 

Regds
Jayachandran
Occasional Contributor
Posts: 11
Registered: ‎10-24-2016

Re: Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

Hi ,

 

Please find the Router1/Router2 ipsec.conf details

 

# generated by /opt/vyatta/sbin/vpn-config.pl

Router1
-------
version 2.0

config setup
        charonstart=yes
        interfaces="%none"

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn %default
        keyexchange=ikev1


conn peer-10.0.0.109-tunnel-1
        left=192.168.200.143
        leftid="192.168.200.143"
        right=10.0.0.109
        leftsubnet=60.0.0.0/24
        rightsubnet=50.0.0.0/24
        leftsourceip=60.0.0.2
ike=aes256-sha256-modp4096!
        keyexchange=ikev1
        ikelifetime=1800s
        esp=aes256-sha256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        pfsgroup=modp4096
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-10.0.0.109-tunnel-1

conn peer-10.0.0.109-tunnel-2
        left=192.168.200.143
        leftid="192.168.200.143"
        right=10.0.0.109
        leftsubnet=70.0.0.0/24
        rightsubnet=50.0.0.0/24
        leftsourceip=192.168.200.143
        ike=aes256-sha256-modp4096!
        keyexchange=ikev1
        ikelifetime=1800s
        esp=aes256-sha256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        pfsgroup=modp4096
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-10.0.0.109-tunnel-2

include /etc/dmvpn.conf

***************************************************
Router2
-------
# generated by /opt/vyatta/sbin/vpn-config.pl

version 2.0

config setup
        charonstart=yes
        interfaces="%none"

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn %default
        keyexchange=ikev1


conn peer-192.168.200.143-tunnel-1
        left=10.0.0.109
        leftid="10.0.0.109"
        right=192.168.200.143
        leftsubnet=50.0.0.0/24
        rightsubnet=60.0.0.0/24
        leftsourceip=50.0.0.3
       ike=aes256-sha256-modp4096!
        keyexchange=ikev1
        ikelifetime=1800s
        esp=aes256-sha256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        pfsgroup=modp4096
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-192.168.200.143-tunnel-1

conn peer-192.168.200.143-tunnel-2
        left=10.0.0.109
        leftid="10.0.0.109"
        right=192.168.200.143
        leftsubnet=50.0.0.0/24
        rightsubnet=70.0.0.0/24
        leftsourceip=50.0.0.3
        ike=aes256-sha256-modp4096!
        keyexchange=ikev1
        ikelifetime=1800s
        esp=aes256-sha256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        pfsgroup=modp4096
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-192.168.200.143-tunnel-2
include /etc/dmvpn.conf

 

kindly do the needful to resolve the issue

Regds
Jayachandran
Brocadian
Posts: 17
Registered: ‎06-17-2015

Re: Tunnel is dropping off freq and some time tunnel up but tunnel remote is not pinging

[ Edited ]

I tried your configs with only one change because my routers are connected back-to-back, and all worked fine as shown below.

 

Even though these configs work, what looks odd to me are leftsourceip : I beleive they should be 192.168.200.143 on Router1 and 10.0.0.109 on Router2.

 

Router1 Config

 

vyatta@Router1:~$ cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

version 2.0

config setup
        charonstart=no
        interfaces="%none"

conn clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn private-or-clear
        auto=ignore

conn private
        auto=ignore

conn block
        auto=ignore

conn packetdefault
        auto=ignore

conn %default
        keyexchange=ikev1


conn peer-10.0.0.109-tunnel-1
        left=10.0.0.110
        right=10.0.0.109
        leftsubnet=60.0.0.0/24
        rightsubnet=50.0.0.0/24
        leftsourceip=60.0.0.2
        ike=aes256-sha256-modp4096!
        keyexchange=ikev1
        ikelifetime=1800s
        esp=aes256-sha256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        pfsgroup=modp4096
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-10.0.0.109-tunnel-1

conn peer-10.0.0.109-tunnel-2
        left=10.0.0.110
        right=10.0.0.109
        leftsubnet=70.0.0.0/24
        rightsubnet=50.0.0.0/24
        leftsourceip=70.0.0.2
        ike=aes256-sha256-modp4096!
        keyexchange=ikev1
        ikelifetime=1800s
        esp=aes256-sha256!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        pfs=yes
        pfsgroup=modp4096
        compress=no
        authby=secret
        auto=start
        keyingtries=%forever
#conn peer-10.0.0.109-tunnel-2

include /etc/dmvpn.conf
vyatta@Router1:~$

Router1 Status

 

 

vyatta@Router1:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth4/eth4 10.0.0.110:500
000 interface eth4/eth4 70.0.0.2:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "peer-10.0.0.109-tunnel-1": 60.0.0.0/24===10.0.0.110[10.0.0.110]...10.0.0.109[10.0.0.109]===50.0.0.0/24; erouted; eroute owner: #3
000 "peer-10.0.0.109-tunnel-1":   ike_life: 1800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-10.0.0.109-tunnel-1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth4;
000 "peer-10.0.0.109-tunnel-1":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "peer-10.0.0.109-tunnel-1":   IKE proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000 "peer-10.0.0.109-tunnel-1":   ESP proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000 "peer-10.0.0.109-tunnel-2": 70.0.0.0/24===10.0.0.110[10.0.0.110]...10.0.0.109[10.0.0.109]===50.0.0.0/24; erouted; eroute owner: #2
000 "peer-10.0.0.109-tunnel-2":   ike_life: 1800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-10.0.0.109-tunnel-2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth4;
000 "peer-10.0.0.109-tunnel-2":   newest ISAKMP SA: #0; newest IPsec SA: #2;
000 "peer-10.0.0.109-tunnel-2":   ESP proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000
000 #3: "peer-10.0.0.109-tunnel-1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2547s; newest IPSEC; eroute owner
000 #3: "peer-10.0.0.109-tunnel-1" esp.c2669043@10.0.0.109 (0 bytes) esp.cf111ada@10.0.0.110 (0 bytes); tunnel
000 #1: "peer-10.0.0.109-tunnel-1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 716s; newest ISAKMP
000 #2: "peer-10.0.0.109-tunnel-2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2757s; newest IPSEC; eroute owner
000 #2: "peer-10.0.0.109-tunnel-2" esp.cc03f0e8@10.0.0.109 (0 bytes) esp.c37ba718@10.0.0.110 (0 bytes); tunnel
000
vyatta@Router1:~$

Router1 Logs

 

 

Mar 14 17:05:28 Router1 pluto[3923]: packet from 10.0.0.109:500: received Vendor ID payload [strongSwan]
Mar 14 17:05:28 Router1 pluto[3923]: packet from 10.0.0.109:500: ignoring Vendor ID payload [Cisco-Unity]
Mar 14 17:05:28 Router1 pluto[3923]: packet from 10.0.0.109:500: received Vendor ID payload [XAUTH]
Mar 14 17:05:28 Router1 pluto[3923]: packet from 10.0.0.109:500: received Vendor ID payload [Dead Peer Detection]
Mar 14 17:05:28 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-2" #4: responding to Main Mode
Mar 14 17:05:28 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-2" #4: Peer ID is ID_IPV4_ADDR: '10.0.0.109'
Mar 14 17:05:28 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-2" #4: sent MR3, ISAKMP SA established
Mar 14 17:05:28 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-2" #5: responding to Quick Mode
Mar 14 17:05:29 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-1" #6: responding to Quick Mode
Mar 14 17:05:29 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-2" #5: IPsec SA established {ESP=>0xcba0a983 <0xc6b8860b}
Mar 14 17:05:29 Router1 pluto[3923]: "peer-10.0.0.109-tunnel-1" #6: IPsec SA established {ESP=>0xc05ea99b <0xc3794fe6}

Router2 Config

 

 

vyatta@Router2:~$ cat /etc/ipsec.conf
# generated by /opt/vyatta/sbin/vpn-config.pl

version 2.0

config setup
charonstart=no
interfaces="%none"

conn clear
auto=ignore

conn clear-or-private
auto=ignore

conn private-or-clear
auto=ignore

conn private
auto=ignore

conn block
auto=ignore

conn packetdefault
auto=ignore

conn %default
keyexchange=ikev1


conn peer-10.0.0.110-tunnel-1
left=10.0.0.109
right=10.0.0.110
leftsubnet=50.0.0.0/24
rightsubnet=60.0.0.0/24
leftsourceip=50.0.0.3
ike=aes256-sha256-modp4096!
keyexchange=ikev1
ikelifetime=1800s
esp=aes256-sha256!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
pfsgroup=modp4096
compress=no
authby=secret
auto=start
keyingtries=%forever
#conn peer-10.0.0.110-tunnel-1

conn peer-10.0.0.110-tunnel-2
left=10.0.0.109
right=10.0.0.110
leftsubnet=50.0.0.0/24
rightsubnet=70.0.0.0/24
leftsourceip=50.0.0.3
ike=aes256-sha256-modp4096!
keyexchange=ikev1
ikelifetime=1800s
esp=aes256-sha256!
keylife=3600s
rekeymargin=540s
type=tunnel
pfs=yes
pfsgroup=modp4096
compress=no
authby=secret
auto=start
keyingtries=%forever
#conn peer-10.0.0.110-tunnel-2

include /etc/dmvpn.conf
vyatta@Router2:~$

Router2 Status

 

 

vyatta@Router2:~$ sudo ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.0.0.109:500
000 interface eth0/eth0 50.0.0.3:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "peer-10.0.0.110-tunnel-1": 50.0.0.0/24===10.0.0.109[10.0.0.109]...10.0.0.110[10.0.0.110]===60.0.0.0/24; erouted; eroute owner: #3
000 "peer-10.0.0.110-tunnel-1":   ike_life: 1800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-10.0.0.110-tunnel-1":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "peer-10.0.0.110-tunnel-1":   newest ISAKMP SA: #1; newest IPsec SA: #3;
000 "peer-10.0.0.110-tunnel-1":   IKE proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000 "peer-10.0.0.110-tunnel-1":   ESP proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000 "peer-10.0.0.110-tunnel-2": 50.0.0.0/24===10.0.0.109[10.0.0.109]...10.0.0.110[10.0.0.110]===70.0.0.0/24; erouted; eroute owner: #2
000 "peer-10.0.0.110-tunnel-2":   ike_life: 1800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "peer-10.0.0.110-tunnel-2":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0;
000 "peer-10.0.0.110-tunnel-2":   newest ISAKMP SA: #0; newest IPsec SA: #2;
000 "peer-10.0.0.110-tunnel-2":   ESP proposal: AES_CBC_256/HMAC_SHA2_256/MODP_4096
000
000 #3: "peer-10.0.0.110-tunnel-1" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2346s; newest IPSEC; eroute owner
000 #3: "peer-10.0.0.110-tunnel-1" esp.c3794fe6@10.0.0.110 (0 bytes) esp.c05ea99b@10.0.0.109 (0 bytes); tunnel
000 #1: "peer-10.0.0.110-tunnel-1" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 514s; newest ISAKMP
000 #2: "peer-10.0.0.110-tunnel-2" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2556s; newest IPSEC; eroute owner
000 #2: "peer-10.0.0.110-tunnel-2" esp.c6b8860b@10.0.0.110 (0 bytes) esp.cba0a983@10.0.0.109 (0 bytes); tunnel
000
vyatta@Router2:~$

Router2 Logs

 

 

Mar 14 17:03:41 Router2 pluto[3756]: packet from 10.0.0.110:500: received Vendor ID payload [strongSwan]
Mar 14 17:03:41 Router2 pluto[3756]: packet from 10.0.0.110:500: ignoring Vendor ID payload [Cisco-Unity]
Mar 14 17:03:41 Router2 pluto[3756]: packet from 10.0.0.110:500: received Vendor ID payload [XAUTH]
Mar 14 17:03:41 Router2 pluto[3756]: packet from 10.0.0.110:500: received Vendor ID payload [Dead Peer Detection]
Mar 14 17:03:41 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-2" #7: responding to Main Mode
Mar 14 17:03:42 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-2" #7: Peer ID is ID_IPV4_ADDR: '10.0.0.110'
Mar 14 17:03:42 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-2" #7: sent MR3, ISAKMP SA established
Mar 14 17:03:42 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-2" #8: responding to Quick Mode
Mar 14 17:03:42 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-1" #9: responding to Quick Mode
Mar 14 17:03:42 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-2" #8: IPsec SA established {ESP=>0xc37ba718 <0xcc03f0e8}
Mar 14 17:03:42 Router2 pluto[3756]: "peer-10.0.0.110-tunnel-1" #9: IPsec SA established {ESP=>0xcf111ada <0xc2669043}

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.