[j-nsp] VPN tunnel between OpenSwan and SRX220
Laurent CARON
lcaron at unix-scripts.info
Tue Aug 6 11:55:09 EDT 2013
Hi,
I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.
SRX is:
Model: srx220h
JUNOS Software Release [12.1X44-D20.3]
OpenSwan: 2.6.37
Both are currently hooked on a test LAN.
192.168.0.18 = openswan box on lan
192.168.0.120 = juniper box on lan
172.31.254.41 = ipsec on juniper box
172.31.254.27 = ipsec on openswan box
172.31.255.27 = loopback on juniper box
Not relevant for now:
10.254.2.33 = gre tunnel on openswan side
10.254.2.34 = gre tunnel on juniper side
Here is the config on the Juniper side:
set interfaces ge-0/0/0 mtu 1514
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24
set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41
set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27
set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32
set interfaces lo0 unit 0 family inet address 172.31.255.41/32
set interfaces st0 unit 0 family inet address 172.31.254.41/32
set interfaces vlan unit 0 family inet address 192.168.123.1/24
set routing-options static route 172.31.254.27/32 next-hop st0.0
set security ike traceoptions file vpn-debug-ike
set security ike traceoptions flag all
set security ike proposal ike_aes_128 authentication-method pre-shared-keys
set security ike proposal ike_aes_128 dh-group group2
set security ike proposal ike_aes_128 authentication-algorithm sha1
set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc
set security ike proposal ike_aes_128 lifetime-seconds 3600
set security ike policy phase1_aes_128 mode main
set security ike policy phase1_aes_128 proposals ike_aes_128
set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"
set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128
set security ike gateway RTR-SIEGE-001 address 192.168.0.18
set security ike gateway RTR-SIEGE-001 no-nat-traversal
set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0
set security ipsec proposal ipsec_aes_128 protocol esp
set security ipsec proposal ipsec_aes_128 authentication-algorithm
hmac-sha1-96
set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600
set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0
set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local
172.31.254.41/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote
172.31.254.27/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any
set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128
set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately
set security flow traceoptions file vpn-debug
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow tcp-mss ipsec-vpn mss 1412
Here is the config on the OpenSwan side:
conn rtr-siege-001_TO_jun-noi-001
left=192.168.0.18
leftsubnet=172.31.254.27/32
leftsourceip=172.31.254.27
right=192.168.0.120
rightsubnet=172.31.254.41/32
rightsourceip=172.31.254.41
ike=3des-sha1
auth=esp
keyingtries=0
keyexchange=ike
authby=secret
compress=no
auto=start
pfs=no
mtu=1412
The connection establishes fine but drops 10 seconds after and is
renegociated, then drops again, endlessly.
I do have those logs on the openswan side):
Aug 6 17:42:42 rtr-siege-001 pluto[28569]: added connection description
"rtr-siege-001_TO_jun-noi-001"
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer
Detection]
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload
[699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1
to state STATE_MAIN_I2
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2
to state STATE_MAIN_I3
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I3: sent MI3, expecting MR3
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: Main mode peer ID is ID_IPV4_ADDR:
'192.168.0.120'
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I3
to state STATE_MAIN_I4
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha
group=modp1024}
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK {using isakmp#6 msgid:5db2c253
proposal=defaults pfsgroup=no-pfs}
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME msgid=5db2c253
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: transition from state STATE_QUICK_I1
to state STATE_QUICK_I2
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0x37d4048d <0xfd3420ac
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: responding to Main Mode
Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R0
to state STATE_MAIN_R1
Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R1: sent MR1, expecting MI2
Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R1
to state STATE_MAIN_R2
Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R2: sent MR2, expecting MI3
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: Main mode peer ID is ID_IPV4_ADDR:
'192.168.0.120'
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R2
to state STATE_MAIN_R3
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R3: sent MR3, ISAKMP SA
established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
prf=oakley_sha group=modp1024}
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: the peer proposed:
172.31.254.27/32:0/0 -> 172.31.254.41/32:0/0
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: responding to Quick Mode proposal
{msgid:b498ed1f}
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: us:
172.31.254.27/32===192.168.0.18<192.168.0.18>[+S=C]
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: them:
192.168.0.120<192.168.0.120>[+S=C]===172.31.254.41/32
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: keeping refhim=4294901761 during rekey
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP=>0x9f4be933 <0xa1521a06 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: the peer proposed:
172.31.254.27/32:0/0 -> 172.31.254.41/32:0/0
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: responding to Quick Mode proposal
{msgid:a1fb5739}
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: us:
172.31.254.27/32===192.168.0.18<192.168.0.18>[+S=C]
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: them:
192.168.0.120<192.168.0.120>[+S=C]===172.31.254.41/32
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: keeping refhim=4294901761 during rekey
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: transition from state STATE_QUICK_R0
to state STATE_QUICK_R1
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: STATE_QUICK_R1: sent QR1, inbound
IPsec SA installed, expecting QI2
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: transition from state STATE_QUICK_R1
to state STATE_QUICK_R2
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: STATE_QUICK_R2: IPsec SA established
tunnel mode {ESP=>0xe4c9ebcc <0xf06b5a23 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}
IKE logs on the Juniper side:
[Aug 6 17:44:57]Added (spi=0x7f237f41, protocol=0) entry to the spi table
[Aug 6 17:44:57]ssh_ike_connect_ipsec: Start, remote_name = :500, flags
= 00000000
[Aug 6 17:44:57]ike_sa_find_ip_port: Remote = all:500, Found SA = {
8154c89b 6db92b86 - be707f00 28175f1b}
[Aug 6 17:44:57]ike_alloc_negotiation: Start, SA = { 8154c89b 6db92b86
- be707f00 28175f1b}
[Aug 6 17:44:57]ssh_ike_connect_ipsec: SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1
[Aug 6 17:44:57]ike_init_qm_negotiation: Start, initiator = 1,
message_id = 3957fba1
[Aug 6 17:44:57]ike_st_o_qm_hash_1: Start
[Aug 6 17:44:57]ike_st_o_qm_sa_proposals: Start
[Aug 6 17:44:57]ike_st_o_qm_nonce: Start
[Aug 6 17:44:57]ike_policy_reply_qm_nonce_data_len: Start
[Aug 6 17:44:57]ike_st_o_qm_optional_ke: Start
[Aug 6 17:44:57]ike_st_o_qm_optional_ids: Start
[Aug 6 17:44:57]ike_st_qm_optional_id: Start
[Aug 6 17:44:57]ike_st_qm_optional_id: Start
[Aug 6 17:44:57]ike_st_o_private: Start
[Aug 6 17:44:57]Construction NHTB payload for local:192.168.0.120,
remote:192.168.0.18 IKEv1 P1 SA index 2746472 sa-cfg VPN_TO_SIEGE-001
[Aug 6 17:44:57]Peer router vendor is not Juniper. Not sending NHTB
payload for sa-cfg VPN_TO_SIEGE-001
[Aug 6 17:44:57]ike_policy_reply_private_payload_out: Start
[Aug 6 17:44:57]ike_st_o_encrypt: Marking encryption for packet
[Aug 6 17:44:57]ike_encode_packet: Start, SA = { 0x8154c89b 6db92b86 -
be707f00 28175f1b } / 3957fba1, nego = 1
[Aug 6 17:44:57]ike_finalize_qm_hash_1: Hash[0..20] = 38960ccc b0eea282 ...
[Aug 6 17:44:57]ike_send_packet: Start, send SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500, routing table id = 0
[Aug 6 17:45:07]ike_retransmit_callback: Start, retransmit SA = {
8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
[Aug 6 17:45:07]ike_send_packet: Start, retransmit previous packet SA =
{ 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1, dst =
192.168.0.18:500 routing table id = 0
[Aug 6 17:45:07]ikev2_packet_allocate: Allocated packet da9800 from
freelist
[Aug 6 17:45:07]ike_sa_find: Found SA = { 8154c89b 6db92b86 - be707f00
28175f1b }
[Aug 6 17:45:07]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1
library
[Aug 6 17:45:07]ike_get_sa: Start, SA = { 8154c89b 6db92b86 - be707f00
28175f1b } / 3957fba1, remote = 192.168.0.18:500
[Aug 6 17:45:07]ike_sa_find: Found SA = { 8154c89b 6db92b86 - be707f00
28175f1b }
[Aug 6 17:45:07]ike_decode_packet: Start
[Aug 6 17:45:07]ike_decode_packet: Start, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b} / 3957fba1, nego = 1
[Aug 6 17:45:07]ike_decode_payload_sa: Start
[Aug 6 17:45:07]ike_decode_payload_t: Start, # trans = 1
[Aug 6 17:45:07]ike_st_i_encrypt: Check that packet was encrypted succeeded
[Aug 6 17:45:07]ike_st_i_qm_hash_2: Start, hash[0..20] = a70d6990
13e5c42d ...
[Aug 6 17:45:07]ike_st_i_qm_sa_values: Start
[Aug 6 17:45:07]ike_st_i_qm_nonce: Nonce[0..16] = 77d4a445 32f055ee ...
[Aug 6 17:45:07]ike_st_i_private: Start
[Aug 6 17:45:07]ike_st_o_qm_hash_3: Start
[Aug 6 17:45:07]ike_st_o_private: Start
[Aug 6 17:45:07]ike_policy_reply_private_payload_out: Start
[Aug 6 17:45:07]ike_st_o_encrypt: Marking encryption for packet
[Aug 6 17:45:07]<none>:500 (Initiator) <-> 192.168.0.18:500 { 8154c89b
6db92b86 - be707f00 28175f1b [1] / 0x3957fba1 } QM; MESSAGE: Phase 2
connection succeeded, No PFS, group = 0
[Aug 6 17:45:07]ike_qm_call_callback: MESSAGE: Phase 2 connection
succeeded, No PFS, group = 0
[Aug 6 17:45:07]<none>:500 (Initiator) <-> 192.168.0.18:500 { 8154c89b
6db92b86 - be707f00 28175f1b [1] / 0x3957fba1 } QM; MESSAGE: SA[0][0] =
ESP 3des, life = 0 kB/3600 sec, group = 0, tunnel, hmac-sha1-96,
Extended seq not used, key len
[Aug 6 17:45:07]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP 3des,
life = 0 kB/3600 sec, group = 0, tunnel, hmac-sha1-96, Extended seq not
used, key len = 0, key rounds = 0
[Aug 6 17:45:07]iked_pm_ipsec_sa_install: local:192.168.0.120,
remote:192.168.0.18 IKEv1 for SA-CFG VPN_TO_SIEGE-001
[Aug 6 17:45:07]Added (spi=0xe4c9ebcc, protocol=ESP dst=192.168.0.120)
entry to the peer hash table
[Aug 6 17:45:07]Added (spi=0xf06b5a23, protocol=ESP dst=192.168.0.18)
entry to the peer hash table
[Aug 6 17:45:07]Hardlife timer started for inbound VPN_TO_SIEGE-001
with 3600 seconds/0 kilobytes
[Aug 6 17:45:07]Softlife timer started for inbound VPN_TO_SIEGE-001
with 2965 seconds/0 kilobytes
[Aug 6 17:45:07]In iked_ipsec_sa_pair_add Adding GENCFG msg with key;
Tunnel = 131073;SPI-In = 0xe4c9ebcc
[Aug 6 17:45:07]Added dependency on SA config blob with tunnelid = 131073
[Aug 6 17:45:07]Successfully added ipsec SA PAIR
[Aug 6 17:45:07]ike_st_o_qm_wait_done: Marking for waiting for done
[Aug 6 17:45:07]ike_encode_packet: Start, SA = { 0x8154c89b 6db92b86 -
be707f00 28175f1b } / 3957fba1, nego = 1
[Aug 6 17:45:07]ike_send_packet: Start, send SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500, routing table id = 0
[Aug 6 17:45:07]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1
[Aug 6 17:45:07]IPSec negotiation done successfully for SA-CFG
VPN_TO_SIEGE-001 for local:192.168.0.120, remote:192.168.0.18 IKEv1
[Aug 6 17:45:07]IPSec SA done callback with sa-cfg NULL in p2_ed.
status: Error ok
[Aug 6 17:47:13]ike_state_restart_packet: Start, restart packet SA = {
8154c89b 6db92b86 - be707f00 28175f1b}, nego = 0
[Aug 6 17:47:13]ike_st_o_qm_done: Quick Mode negotiation done
[Aug 6 17:47:13]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 0
[Aug 6 17:47:13]ike_delete_negotiation: Start, SA = { 8154c89b 6db92b86
- be707f00 28175f1b}, nego = 0
[Aug 6 17:47:13]ike_free_negotiation_qm: Start, nego = 0
[Aug 6 17:47:13]ike_free_negotiation: Start, nego = 0
[Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1
[Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1
[Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1
[Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1
[Aug 6 17:48:07]ike_state_restart_packet: Start, restart packet SA = {
8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1
[Aug 6 17:48:07]ike_st_o_qm_done: Quick Mode negotiation done
[Aug 6 17:48:07]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1
[Aug 6 17:48:07]ike_delete_negotiation: Start, SA = { 8154c89b 6db92b86
- be707f00 28175f1b}, nego = 1
[Aug 6 17:48:07]ike_free_negotiation_qm: Start, nego = 1
[Aug 6 17:48:07]ike_free_negotiation: Start, nego = 1
[Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1
[Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1
[Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1
[Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1
Do any of you have a clue about what's going on ?
I tried to fiddle with MTU to no avail.
Thanks
Laurent
More information about the juniper-nsp
mailing list