[Swan] Tunnels coming establishing and dropping quickly

Madden, Joe Wed, 17 May 2017 05:53:31 -0700

Hi All,



We have having an issue with our Libreswan tunnels, They come up for a short 
amount of time before dropping off.


May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID 
payload [RFC 3947]
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: received Vendor ID 
payload [FRAGMENTATION c0000000]
May 17 12:45:44 fw pluto[12003]: "ssl-nissen-1/13x0" #17: enabling possible 
NAT-traversal with method RFC 3947 (NAT-Traversal)
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/11x0" #6: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/10x0" #7: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/15x0" #2: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/13x0" #4: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/4x0" #13: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/16x0" #1: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/5x0" #12: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/7x0" #10: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/8x0" #9: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/3x0" #14: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/9x0" #8: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/1x0" #16: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/6x0" #11: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:44 fw pluto[12003]: "ssl-iptrafficsig-1/2x0" #15: STATE_PARENT_I1: 
sent v2I1, expected v2R1
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: deleting state 
#35 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/14x0" #3: deleting state 
#3 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: deleting state 
#34 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/12x0" #5: deleting state 
#5 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/5x0" #12: deleting state 
#36 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/5x0" #12: deleting state 
#12 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/13x0" #4: deleting state 
#39 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/13x0" #4: deleting state 
#4 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/16x0" #1: deleting state 
#37 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/16x0" #1: deleting state 
#1 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/7x0" #10: deleting state 
#38 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/7x0" #10: deleting state 
#10 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/15x0" #2: deleting state 
#43 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/15x0" #2: deleting state 
#2 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/2x0" #15: deleting state 
#47 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/2x0" #15: deleting state 
#15 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/9x0" #8: deleting state 
#45 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/9x0" #8: deleting state #8 
(STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/10x0" #7: deleting state 
#46 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/10x0" #7: deleting state 
#7 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/3x0" #14: deleting state 
#44 (STATE_CHILDSA_DEL)
May 17 12:45:55 fw pluto[12003]: "ssl-iptrafficsig-1/3x0" #14: deleting state 
#14 (STATE_IKESA_DEL)
May 17 12:45:55 fw pluto[12003]: assign_holdpass() delete_bare_shunt() failed
May 17 12:45:55 fw pluto[12003]: initiate_ondemand_body() failed to install 
negotiation_shunt,
May 17 12:45:55 fw pluto[12003]: initiate on demand from 10.1.170.43:50051 to 
10.199.0.13:123 proto=17 state: fos_start because: acquire


conn ssl-iptrafficsig-1
        authby=                 secret
        auto=                   start
        type=                   tunnel
        forceencaps=            no
        rekeymargin=            3m
        keyingtries=            %forever
        salifetime=             8h
        ikelifetime=            24h
        ikev2=                  insist
        initial-contact=        yes
        send_vendorid=          yes

        #RTT
        left=           10.59.31.49
        leftsubnets=    
{10.2.170.0/26,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.176.0/25,10.1.170.0/25,10.2.166.0/26,10.2.74.64/29,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26}
        leftid=         10.59.31.49
        leftnexthop=    10.59.31.54

        #SAA
        right=          54.247.187.81
        rightid=        54.247.187.81
        rightsubnet=    10.199.0.0/28
        ike=            aes256-sha2_512;modp2048
        phase2=         esp
        phase2alg=      aes256-sha2_512;modp2048
        pfs=            yes
        sha2_truncbug=  no

        #Dead Peer Detection
        dpddelay=       30
        dpdtimeout=     120
        dpdaction=      hold



Stronswan configuration looks like this:


######### Connection to Mott NRTS Gateway-PSK #####
conn motts_nrts_gateway
        type=tunnel
        authby=secret
        forceencaps=no
        keyexchange=ikev2
        left=10.199.0.4
        leftsubnet=10.199.0.0/28
        leftid=54.247.187.81
        #leftfirewall=yes
        rightfirewall=yes
        ike=aes256-sha2_512-modp2048
        esp=aes256-sha2_512-modp2048
        right=extip
        rightid=extip
        
rightsubnet=10.1.176.0/25,10.1.178.0/26,10.1.160.64/27,10.1.162.64/27,10.1.170.0/25,10.2.74.64/29,10.2.166.0/26,10.2.130.64/28,10.2.168.10/32,10.2.168.11/32,10.1.172.10/32,10.1.172.11/32,172.21.12.0/26,172.21.13.0/26,172.21.15.0/26,10.2.170.0/26
        aggressive=no
        ikelifetime=24h
        keyingtries=%forever
        keylife=8h
        dpdaction=hold
        auto=start
######## End of MOTT NRTS Gateway Connection ###


Does anyone have any suggestions to what could be the issue?


Thanks 

Joe
_______________________________________________
Swan mailing list
Swan@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan

[Swan] Tunnels coming establishing and dropping quickly

Reply via email to