[j-nsp] VPN tunnel between OpenSwan and SRX220
Luca Salvatore
Luca at ninefold.com
Tue Aug 6 18:35:48 EDT 2013
Thats a confusing config
Why do you need GRE interfaces?
I have numerous VPNs running between SRX boxes and OpenSwan, I use policy based VPNs all the time, they seem to work better with OpenSwan
Maybe give that a try.
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Laurent CARON
Sent: Wednesday, 7 August 2013 1:55 AM
To: juniper-nsp
Subject: [j-nsp] VPN tunnel between OpenSwan and SRX220
Hi,
I'm trying to establish a VPN tunnel between a SRX220 and an OpenSwan box.
SRX is:
Model: srx220h
JUNOS Software Release [12.1X44-D20.3]
OpenSwan: 2.6.37
Both are currently hooked on a test LAN.
192.168.0.18 = openswan box on lan
192.168.0.120 = juniper box on lan
172.31.254.41 = ipsec on juniper box
172.31.254.27 = ipsec on openswan box
172.31.255.27 = loopback on juniper box
Not relevant for now:
10.254.2.33 = gre tunnel on openswan side
10.254.2.34 = gre tunnel on juniper side
Here is the config on the Juniper side:
set interfaces ge-0/0/0 mtu 1514
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.120/24
set interfaces gr-0/0/0 unit 0 tunnel source 172.31.254.41 set interfaces gr-0/0/0 unit 0 tunnel destination 172.31.254.27 set interfaces gr-0/0/0 unit 0 family inet address 10.254.2.34/32
set interfaces lo0 unit 0 family inet address 172.31.255.41/32
set interfaces st0 unit 0 family inet address 172.31.254.41/32
set interfaces vlan unit 0 family inet address 192.168.123.1/24
set routing-options static route 172.31.254.27/32 next-hop st0.0
set security ike traceoptions file vpn-debug-ike set security ike traceoptions flag all
set security ike proposal ike_aes_128 authentication-method pre-shared-keys
set security ike proposal ike_aes_128 dh-group group2 set security ike proposal ike_aes_128 authentication-algorithm sha1 set security ike proposal ike_aes_128 encryption-algorithm 3des-cbc set security ike proposal ike_aes_128 lifetime-seconds 3600
set security ike policy phase1_aes_128 mode main set security ike policy phase1_aes_128 proposals ike_aes_128 set security ike policy phase1_aes_128 pre-shared-key ascii-text "pwd"
set security ike gateway RTR-SIEGE-001 ike-policy phase1_aes_128 set security ike gateway RTR-SIEGE-001 address 192.168.0.18 set security ike gateway RTR-SIEGE-001 no-nat-traversal set security ike gateway RTR-SIEGE-001 external-interface ge-0/0/0.0
set security ipsec proposal ipsec_aes_128 protocol esp set security ipsec proposal ipsec_aes_128 authentication-algorithm
hmac-sha1-96
set security ipsec proposal ipsec_aes_128 encryption-algorithm 3des-cbc set security ipsec proposal ipsec_aes_128 lifetime-seconds 3600
set security ipsec policy phase2_aes_128 proposals ipsec_aes_128
set security ipsec vpn VPN_TO_SIEGE-001 bind-interface st0.0 set security ipsec vpn VPN_TO_SIEGE-001 ike gateway RTR-SIEGE-001 set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity local
172.31.254.41/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity remote
172.31.254.27/32
set security ipsec vpn VPN_TO_SIEGE-001 ike proxy-identity service any set security ipsec vpn VPN_TO_SIEGE-001 ike ipsec-policy phase2_aes_128 set security ipsec vpn VPN_TO_SIEGE-001 establish-tunnels immediately
set security flow traceoptions file vpn-debug set security flow traceoptions flag basic-datapath set security flow traceoptions flag packet-drops
set security flow tcp-mss ipsec-vpn mss 1412
Here is the config on the OpenSwan side:
conn rtr-siege-001_TO_jun-noi-001
left=192.168.0.18
leftsubnet=172.31.254.27/32
leftsourceip=172.31.254.27
right=192.168.0.120
rightsubnet=172.31.254.41/32
rightsourceip=172.31.254.41
ike=3des-sha1
auth=esp
keyingtries=0
keyexchange=ike
authby=secret
compress=no
auto=start
pfs=no
mtu=1412
The connection establishes fine but drops 10 seconds after and is renegociated, then drops again, endlessly.
I do have those logs on the openswan side):
Aug 6 17:42:42 rtr-siege-001 pluto[28569]: added connection description "rtr-siege-001_TO_jun-noi-001"
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: initiating Main Mode Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: received Vendor ID payload [Dead Peer Detection] Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: ignoring unknown Vendor ID payload [699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500]
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I2: sent MI2, expecting MR2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I3: sent MI3, expecting MR3 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: Main mode peer ID is ID_IPV4_ADDR:
'192.168.0.120'
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #6: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+SAREFTRACK {using isakmp#6 msgid:5db2c253
proposal=defaults pfsgroup=no-pfs}
Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME msgid=5db2c253 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Aug 6 17:42:43 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #11: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x37d4048d <0xfd3420ac
xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none} Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: responding to Main Mode Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R1: sent MR1, expecting MI2 Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Aug 6 17:44:12 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R2: sent MR2, expecting MI3 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: Main mode peer ID is ID_IPV4_ADDR:
'192.168.0.120'
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024} Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: the peer proposed:
172.31.254.27/32:0/0 -> 172.31.254.41/32:0/0 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: responding to Quick Mode proposal {msgid:b498ed1f} Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: us:
172.31.254.27/32===192.168.0.18<192.168.0.18>[+S=C]
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: them:
192.168.0.120<192.168.0.120>[+S=C]===172.31.254.41/32
Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: keeping refhim=4294901761 during rekey Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Aug 6 17:44:13 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #32: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x9f4be933 <0xa1521a06 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none} Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #31: the peer proposed:
172.31.254.27/32:0/0 -> 172.31.254.41/32:0/0 Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: responding to Quick Mode proposal {msgid:a1fb5739} Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: us:
172.31.254.27/32===192.168.0.18<192.168.0.18>[+S=C]
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: them:
192.168.0.120<192.168.0.120>[+S=C]===172.31.254.41/32
Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: keeping refhim=4294901761 during rekey Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Aug 6 17:45:07 rtr-siege-001 pluto[28569]:
"rtr-siege-001_TO_jun-noi-001" #34: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xe4c9ebcc <0xf06b5a23 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
IKE logs on the Juniper side:
[Aug 6 17:44:57]Added (spi=0x7f237f41, protocol=0) entry to the spi table [Aug 6 17:44:57]ssh_ike_connect_ipsec: Start, remote_name = :500, flags = 00000000 [Aug 6 17:44:57]ike_sa_find_ip_port: Remote = all:500, Found SA = { 8154c89b 6db92b86 - be707f00 28175f1b} [Aug 6 17:44:57]ike_alloc_negotiation: Start, SA = { 8154c89b 6db92b86
- be707f00 28175f1b}
[Aug 6 17:44:57]ssh_ike_connect_ipsec: SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1
[Aug 6 17:44:57]ike_init_qm_negotiation: Start, initiator = 1, message_id = 3957fba1 [Aug 6 17:44:57]ike_st_o_qm_hash_1: Start [Aug 6 17:44:57]ike_st_o_qm_sa_proposals: Start [Aug 6 17:44:57]ike_st_o_qm_nonce: Start [Aug 6 17:44:57]ike_policy_reply_qm_nonce_data_len: Start [Aug 6 17:44:57]ike_st_o_qm_optional_ke: Start [Aug 6 17:44:57]ike_st_o_qm_optional_ids: Start [Aug 6 17:44:57]ike_st_qm_optional_id: Start [Aug 6 17:44:57]ike_st_qm_optional_id: Start [Aug 6 17:44:57]ike_st_o_private: Start [Aug 6 17:44:57]Construction NHTB payload for local:192.168.0.120,
remote:192.168.0.18 IKEv1 P1 SA index 2746472 sa-cfg VPN_TO_SIEGE-001 [Aug 6 17:44:57]Peer router vendor is not Juniper. Not sending NHTB payload for sa-cfg VPN_TO_SIEGE-001 [Aug 6 17:44:57]ike_policy_reply_private_payload_out: Start [Aug 6 17:44:57]ike_st_o_encrypt: Marking encryption for packet [Aug 6 17:44:57]ike_encode_packet: Start, SA = { 0x8154c89b 6db92b86 -
be707f00 28175f1b } / 3957fba1, nego = 1 [Aug 6 17:44:57]ike_finalize_qm_hash_1: Hash[0..20] = 38960ccc b0eea282 ...
[Aug 6 17:44:57]ike_send_packet: Start, send SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500, routing table id = 0 [Aug 6 17:45:07]ike_retransmit_callback: Start, retransmit SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1 [Aug 6 17:45:07]ike_send_packet: Start, retransmit previous packet SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1, dst =
192.168.0.18:500 routing table id = 0
[Aug 6 17:45:07]ikev2_packet_allocate: Allocated packet da9800 from freelist [Aug 6 17:45:07]ike_sa_find: Found SA = { 8154c89b 6db92b86 - be707f00 28175f1b } [Aug 6 17:45:07]ikev2_packet_v1_start: Passing IKE v1.0 packet to IKEv1 library [Aug 6 17:45:07]ike_get_sa: Start, SA = { 8154c89b 6db92b86 - be707f00 28175f1b } / 3957fba1, remote = 192.168.0.18:500 [Aug 6 17:45:07]ike_sa_find: Found SA = { 8154c89b 6db92b86 - be707f00 28175f1b } [Aug 6 17:45:07]ike_decode_packet: Start [Aug 6 17:45:07]ike_decode_packet: Start, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b} / 3957fba1, nego = 1
[Aug 6 17:45:07]ike_decode_payload_sa: Start [Aug 6 17:45:07]ike_decode_payload_t: Start, # trans = 1 [Aug 6 17:45:07]ike_st_i_encrypt: Check that packet was encrypted succeeded [Aug 6 17:45:07]ike_st_i_qm_hash_2: Start, hash[0..20] = a70d6990 13e5c42d ...
[Aug 6 17:45:07]ike_st_i_qm_sa_values: Start [Aug 6 17:45:07]ike_st_i_qm_nonce: Nonce[0..16] = 77d4a445 32f055ee ...
[Aug 6 17:45:07]ike_st_i_private: Start [Aug 6 17:45:07]ike_st_o_qm_hash_3: Start [Aug 6 17:45:07]ike_st_o_private: Start [Aug 6 17:45:07]ike_policy_reply_private_payload_out: Start [Aug 6 17:45:07]ike_st_o_encrypt: Marking encryption for packet [Aug 6 17:45:07]<none>:500 (Initiator) <-> 192.168.0.18:500 { 8154c89b
6db92b86 - be707f00 28175f1b [1] / 0x3957fba1 } QM; MESSAGE: Phase 2 connection succeeded, No PFS, group = 0 [Aug 6 17:45:07]ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, No PFS, group = 0 [Aug 6 17:45:07]<none>:500 (Initiator) <-> 192.168.0.18:500 { 8154c89b
6db92b86 - be707f00 28175f1b [1] / 0x3957fba1 } QM; MESSAGE: SA[0][0] = ESP 3des, life = 0 kB/3600 sec, group = 0, tunnel, hmac-sha1-96, Extended seq not used, key len [Aug 6 17:45:07]ike_qm_call_callback: MESSAGE: SA[0][0] = ESP 3des, life = 0 kB/3600 sec, group = 0, tunnel, hmac-sha1-96, Extended seq not used, key len = 0, key rounds = 0 [Aug 6 17:45:07]iked_pm_ipsec_sa_install: local:192.168.0.120,
remote:192.168.0.18 IKEv1 for SA-CFG VPN_TO_SIEGE-001 [Aug 6 17:45:07]Added (spi=0xe4c9ebcc, protocol=ESP dst=192.168.0.120) entry to the peer hash table [Aug 6 17:45:07]Added (spi=0xf06b5a23, protocol=ESP dst=192.168.0.18) entry to the peer hash table [Aug 6 17:45:07]Hardlife timer started for inbound VPN_TO_SIEGE-001 with 3600 seconds/0 kilobytes [Aug 6 17:45:07]Softlife timer started for inbound VPN_TO_SIEGE-001 with 2965 seconds/0 kilobytes [Aug 6 17:45:07]In iked_ipsec_sa_pair_add Adding GENCFG msg with key; Tunnel = 131073;SPI-In = 0xe4c9ebcc [Aug 6 17:45:07]Added dependency on SA config blob with tunnelid = 131073 [Aug 6 17:45:07]Successfully added ipsec SA PAIR [Aug 6 17:45:07]ike_st_o_qm_wait_done: Marking for waiting for done [Aug 6 17:45:07]ike_encode_packet: Start, SA = { 0x8154c89b 6db92b86 -
be707f00 28175f1b } / 3957fba1, nego = 1 [Aug 6 17:45:07]ike_send_packet: Start, send SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1, dst = 192.168.0.18:500, routing table id = 0 [Aug 6 17:45:07]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1
[Aug 6 17:45:07]IPSec negotiation done successfully for SA-CFG
VPN_TO_SIEGE-001 for local:192.168.0.120, remote:192.168.0.18 IKEv1 [Aug 6 17:45:07]IPSec SA done callback with sa-cfg NULL in p2_ed.
status: Error ok
[Aug 6 17:47:13]ike_state_restart_packet: Start, restart packet SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 0 [Aug 6 17:47:13]ike_st_o_qm_done: Quick Mode negotiation done [Aug 6 17:47:13]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 0
[Aug 6 17:47:13]ike_delete_negotiation: Start, SA = { 8154c89b 6db92b86
- be707f00 28175f1b}, nego = 0
[Aug 6 17:47:13]ike_free_negotiation_qm: Start, nego = 0 [Aug 6 17:47:13]ike_free_negotiation: Start, nego = 0 [Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1 [Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1 [Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1 [Aug 6 17:47:13]ike_free_id_payload: Start, id type = 1 [Aug 6 17:48:07]ike_state_restart_packet: Start, restart packet SA = { 8154c89b 6db92b86 - be707f00 28175f1b}, nego = 1 [Aug 6 17:48:07]ike_st_o_qm_done: Quick Mode negotiation done [Aug 6 17:48:07]ike_send_notify: Connected, SA = { 8154c89b 6db92b86 -
be707f00 28175f1b}, nego = 1
[Aug 6 17:48:07]ike_delete_negotiation: Start, SA = { 8154c89b 6db92b86
- be707f00 28175f1b}, nego = 1
[Aug 6 17:48:07]ike_free_negotiation_qm: Start, nego = 1 [Aug 6 17:48:07]ike_free_negotiation: Start, nego = 1 [Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1 [Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1 [Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1 [Aug 6 17:48:07]ike_free_id_payload: Start, id type = 1
Do any of you have a clue about what's going on ?
I tried to fiddle with MTU to no avail.
Thanks
Laurent
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list