Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend) [R

1. Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend) [R

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 22/08/2015 - 16:35h

Não estou conseguido pingar site A e nem o B estou com uma mensagem no arquivo de log dizendo que a fase 2 esta pendente. (phase 1 is done, looking for phase 2 to unpend). Achei muitas mensagens no google sobre o assunto, mas nenhuma foi conclusiva. Tenho openvpn funcionando perfeito, este caso é muito especifico e preciso do ipsec, obrigado!



Ambos os lados da estão com as mesmas configurações e rotas necessárias e apresentam a mesma mensagem no LOG

Vou começar apresentar a versão que estou usando para o caso de ter algum bug, já que vi alguns post falando sobre isto

# ipsec version
Linux Openswan U2.6.32/K2.6.32-279.el6.i686 (netkey)
See `ipsec --copyright' for copyright information.

Minhas configurações site A e site B

vim /etc/ipsec.conf

config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
interfaces=%defaultroute
virtual_private=%v4:10.0.0.0/24,%v4:192.168.15.0/24,%v4:192.168.0.0/22 <-Duvida preciso da rede 10 fiz teste com e sem
protostack=netkey
nat_traversal=no <-- Estou com os dois servidores ligados direto na internet
oe=off
conn SiteA <--- Aqui eu troco para SiteB no outro servidor.

pfs=yes
auto=start <-- já coloquei com start e com add
type=tunnel
authby=secret
ike=aes128-sha1;modp1024
keyexchange=ike
phase2=esp
phase2alg=aes128-sha1;modp1024
leftid=189.184.218.234
leftprotoport=17/1701
left=189.184.218.234
leftsubnet=192.168.15.0/24
leftnexthop=%defaultroute
rightid=200.50.14.186
rightprotoport=17/1701
right=200.50.14.186
rightsubnet=192.168.0.0/22
rightnexthop=%defaultroute

Esta parte esta igual nos dois servidores

vim /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
189.184.218.234 200.50.14.186: PSK "123@345@789"

TESTE
# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-279.el6.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A] <--- Duvida se preciso ou não disto
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]

Desativei o firewall e selinux para não implicar nos teste do ipsec
# getenforce
Disabled

# route -n
Tabela de Roteamento IP do Kernel ( coloquei uns --- para melhorar a visualização )
Destino-----------Roteador------------MáscaraGen----Opções- Métrica Ref---Uso Iface
192.168.15.0----0.0.0.0---------------255.255.255.0---U-----------0--------0--------0 eth0
189.184.218.0---0.0.0.0--------------255.255.255.0---U-----------0--------0--------0 eth1
192.168.0--------189.184.218.233-255.255.252.0---UG---------0--------0--------0 eth1
169.254.0.0------0.0.0.0---------------255.255.0.0------U-----------1002---0--------0 eth1
169.254.0.0------0.0.0.0---------------255.255.0.0------U-----------1003---0--------0 eth0
0.0.0.0-------------189.184.218.233--0.0.0.0------------UG---------10------0--------0 eth1

Final do arquivo de log

#tail -f /var/log/pluto.log
"SiteA" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xa4b1114c <0x1a3c7344 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend <------- PROCUREI TAMBEM NO GOOGLE POR ISTO
| * processed 0 messages from cryptographic helpers
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds

tail -f /var/log/pluto.log
| handling event EVENT_PENDING_DDNS
| event after this is EVENT_PENDING_PHASE2 in 0 seconds
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added after event EVENT_PENDING_PHASE2
| handling event EVENT_PENDING_PHASE2
| event after this is EVENT_PENDING_DDNS in 60 seconds
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
| pending review: connection "SanGEmive" was not up, skipped
| next event EVENT_PENDING_DDNS in 60 seconds

# ipsec auto --verbose --up SiteA
002 "SiteA" #1: initiating Main Mode
104 "SiteA" #1: STATE_MAIN_I1: initiate
003 "SiteA" #1: received Vendor ID payload [Openswan (this version) 2.6.32 ]
003 "SiteA" #1: received Vendor ID payload [Dead Peer Detection]
003 "SiteA" #1: received Vendor ID payload [RFC 3947] method set to=109
002 "SiteA" #1: enabling possible NAT-traversal with method 4
002 "SiteA" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "SiteA" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "SiteA" #1: I will NOT send an initial contact payload <--- PROCUREI NO GOOGLE POR ISTO MAS NAO CONCLUI NADA
003 "SiteA" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
002 "SiteA" #1: Not sending INITIAL_CONTACT <--- PROCUREI TAMBEM NO GOOGLE POR ISTO
002 "SiteA" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "SiteA" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "SiteA" #1: received Vendor ID payload [CAN-IKEv2]
002 "SiteA" #1: Main mode peer ID is ID_IPV4_ADDR: '201.59.14.186'
002 "SiteA" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "SiteA" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
002 "SiteA" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:13fb1db6 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
117 "SiteA" #2: STATE_QUICK_I1: initiate

# ipsec status
000 using kernel interface: netkey
000 interface eth1/eth1 189.184.218.234
000 interface eth1/eth1 189.184.218.234
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/24, 192.168.15.0/24, 192.168.0.0/22
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have <--- NÃO SEI SE ISTO ESTA ATRAPALHANDO!
000 private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=(null), keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=(null), keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "SiteA": 192.168.15.0/24===189.184.218.234<189.184.218.234>[+S=C]:17/1701---189.184.218.233...189.184.218.233---200.50.14.186<200.50.14.186>[+S=C]:17/1701===192.168.0.0/22; unrouted; eroute owner: #0
000 "SiteA": myip=unset; hisip=unset;
000 "SiteA": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "SiteA": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,22; interface: eth1;
000 "SiteA": dpd: action:clear; delay:0; timeout:0;
000 "SiteA": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "SiteA": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "SiteA": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "SiteA": ESP algorithms wanted: AES(12)_128-SHA1(2)_000; pfsgroup=MODP1024(2)
000 "SiteA": ESP algorithms loaded: AES(12)_128-SHA1(2)_160




  


2. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend) [R

3. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend) [R

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 25/08/2015 - 13:44h


Já passei neste link, mas ainda continuo com o problema! Obrigado!


4. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 26/08/2015 - 09:21h


Parte de outros logs que encontrei que tenho duvida




002 "SiteB" #1: I will NOT send an initial contact payload
002 "SiteB" #1: Not sending INITIAL_CONTACT

FIPS: not a FIPS product
FIPS HMAC integrity verification FAILURE
FIPS: not a FIPS product, kernel mode ignored - continuing




5. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 27/08/2015 - 10:38h

Fiz um yum update nos dois servidores, para matar a duvida da atualização, mas mesmo assim não funcionou!



6. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend) [R

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 28/08/2015 - 15:14h


Tenho visto muitos posts na internet sobre o assunto, mas todos são muitos antigos e a maioria esta se referindo ao kernel do Linux usando KLIPs, O kernel do centos 6 esta preparado para o NETKEY, será que existe alguma configuração a mais a se fazer ?


7. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 29/08/2015 - 11:25h

Hoje lendo o log achei outra informação que jugo ser interessante

cmd( 800):NFIGURED='0' ipsec _updown:

restante do log

command executing up-client
| executing up-client: 2>&1 PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='SiteA' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='179.184.218.233' PLUTO_ME='179.184.218.234' PLUTO_MY_ID='179.184.218.234' PLUTO_MY_CLIENT='192.168.15.0/24' PLUTO_MY_CLIENT_NET='192.168.15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='200.50.14.186' PLUTO_PEER_ID='200.50.14.186' PLUTO_PEER_CLIENT='192.168.0.0/22' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.252.0' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 826 chars long
| cmd( 0):2>&1 PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='SiteA' PLU:
| cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='179.184.218.233' PLUTO_ME='179.184.218.234' :
| cmd( 160):PLUTO_MY_ID='179.184.218.234' PLUTO_MY_CLIENT='192.168.15.0/24' PLUTO_MY_CLIENT_:
| cmd( 240):NET='192.168.15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='1701' PLU:
| cmd( 320):TO_MY_PROTOCOL='17' PLUTO_PEER='200.50.14.186' PLUTO_PEER_ID='200.50.14.186' PLU:
| cmd( 400):TO_PEER_CLIENT='192.168.0.0/22' PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_C:
| cmd( 480):LIENT_MASK='255.255.252.0' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO:
| cmd( 560):_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+COMPRESS+TUNNEL:
| cmd( 640):+PFS+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLU:
| cmd( 720):TO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CO:
| cmd( 800):NFIGURED='0' ipsec _updown:



8. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 02/09/2015 - 08:44h

Pessoal fiz um teste baixando os fontes e compilando para ver se era algum problema de versão do rpm do centos, mas mesmo assim não consegui funcionar o IPSEC.




Estou apanhando feio! kkk

wget http://download.openswan.org/openswan/openswan-2.6.45.tar.gz

tar -xvzf openswan-2.6.45.tar.gz
cd openswan-2.6.45
make programs
sudo make install

vim /etc/ipsec.conf

config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
oe=off

conn SiteA <-- SiteB changed in the another machine

pfs=yes
auto=add
compress=no
type=tunnel
authby=secret
ike=3des-md5
phase2=esp
phase2alg=3des-md5
left=200.50.14.186
leftsubnet=192.168.0.0/22
leftnexthop=%defaultroute
right=189.184.218.234
rightsubnet=192.168.15.0/24
rightnexthop=%defaultroute


[root at ns15 openswan-2.6.45]# ipsec verify
Checking if IPsec got installed and started correctly:

Version check and ipsec on-path [OK]
Openswan U2.6.45/K2.6.32-573.3.1.el6.i686 (netkey)
See `ipsec --copyright' for copyright information.
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Hardware random device check [N/A]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [IP XFRM BROKEN]
<-------- ????
Checking 'iptables' command [OK]

Log SiteA

processing connection SiteA
| received encrypted packet from 189.184.218.234:500
| decrypting 24 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 00 00 00 14 0d 63 da 95 b1 05 c4 79 3c b9 c4 5a
| 66 61 d6 6d 00 00 00 00
| next IV: 98 11 e6 de 00 1d ab 0a
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 20
| removing 4 bytes of padding
| HASH(3) computed: 0d 63 da 95 b1 05 c4 79 3c b9 c4 5a 66 61 d6 6d
| state #2: install_ipsec_sa() for outbound only
| route owner of "SiteA" unrouted: NULL; eroute owner: NULL
| could_route called for SiteA (kind=CK_PERMANENT)
| state #2: now setting up incoming SA
| sr for #2: unrouted
| route owner of "SiteA" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: SiteA (next: none) ero:null esr:{(nil)} ro:null
rosr:{(nil)} and state: 2
| eroute_connection: between 200.50.14.186<->189.184.218.234
| eroute_connection add eroute 192.168.0.0/22:0 --0-> 192.168.15.0/24:0 =>
tun.0 at 189.184.218.234 (raw_eroute)
| creating SPD to 200.50.14.186->spi=00000000 at 189.184.218.234 proto=4
| raw_eroute result=1
| command executing up-client
| executing up-client: 2>&1 PLUTO_VERB='up-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteA' PLUTO_INTERFACE='eth1'
PLUTO_NEXT_HOP='200.50.14.185' PLUTO_ME='200.50.14.186'
PLUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_PEER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK'
PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_XAUTH_USERNAME=''
PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 838 chars long
| cmd( 0):2>&1 PLUTO_VERB='up-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteA' PLU:
| cmd( 80):TO_INTERFACE='eth1' PLUTO_NEXT_HOP='200.50.14.185'
PLUTO_ME='200.50.14.186' PLUT:
| cmd( 160):O_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET='1:
| cmd( 240):92.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROT:
| cmd( 320):OCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_PEER:
| cmd( 400):_CLIENT='192.168.15.0/24' PLUTO_PEER_CLIENT_NET='192.168.15.0'
PLUTO_PEER_CLIENT:
| cmd( 480):_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=:
| cmd( 560):'' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+S:
| cmd( 640):AREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_XAUTH_USERNAME=''
PLUTO_IS_PEER_C:
| cmd( 720):ISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANNER='':
| cmd( 800): PLUTO_NM_CONFIGURED='0' ipsec _updown:
| route_and_eroute: firewall_notified: true
| command executing prepare-client
| executing prepare-client: 2>&1 PLUTO_VERB='prepare-client'
PLUTO_VERSION='2.0' PLUTO_CONNECTION='SiteA' PLUTO_INTERFACE='eth1'
PLUTO_NEXT_HOP='200.50.14.185' PLUTO_ME='200.50.14.186'
PLUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_PEER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK'
PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_XAUTH_USERNAME=''
PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 843 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteA:
| cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='200.50.14.185'
PLUTO_ME='200.50.14.186':
| cmd( 160): PLUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_N:
| cmd( 240):ET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY:
| cmd( 320):_PROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO:
| cmd( 400):_PEER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_C:
| cmd( 480):LIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEE:
| cmd( 560):R_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEv2AL:
| cmd( 640):LOW+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4'
PLUTO_XAUTH_USERNAME='' PLUTO_IS_P:
| cmd( 720):EER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANN:
| cmd( 800):ER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| command executing route-client
| executing route-client: 2>&1 PLUTO_VERB='route-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteA' PLUTO_INTERFACE='eth1'
PLUTO_NEXT_HOP='200.50.14.185' PLUTO_ME='200.50.14.186'
PLUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_PEER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK'
PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_XAUTH_USERNAME=''
PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 841 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteA' :
| cmd( 80):PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='200.50.14.185'
PLUTO_ME='200.50.14.186' P:
| cmd( 160):LUTO_MY_ID='200.50.14.186' PLUTO_MY_CLIENT='192.168.0.0/22'
PLUTO_MY_CLIENT_NET:
| cmd( 240):='192.168.0.0' PLUTO_MY_CLIENT_MASK='255.255.252.0'
PLUTO_MY_PORT='0' PLUTO_MY_P:
| cmd( 320):ROTOCOL='0' PLUTO_PEER='189.184.218.234'
PLUTO_PEER_ID='189.184.218.234' PLUTO_P:
| cmd( 400):EER_CLIENT='192.168.15.0/24'
PLUTO_PEER_CLIENT_NET='192.168.15.0' PLUTO_PEER_CLI:
| cmd( 480):ENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_:
| cmd( 560):CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLO:
| cmd( 640):W+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4'
PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEE:
| cmd( 720):R_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANNER:
| cmd( 800):='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| route_and_eroute: instance "SiteA", setting eroute_owner
{spd=0x692970,sr=0xbf9d4714} to #2 (was #0) (newest_ipsec_sa=#0)
| inI2: instance SiteA[0], setting newest_ipsec_sa to #2 (was #0)
(spd.eroute=#0)
| complete state transition with STF_OK
"SiteA" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
| deleting event for #2
| inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2
| event added after event EVENT_REINIT_SECRET
"SiteA" #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0xb6e9b17d <0xfa2f6ea4 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 0 messages from cryptographic helpers
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds

Log SiteB


| processing connection SiteA
"SiteA": deleting connection
| processing connection SiteA
"SiteA" #2: deleting state (STATE_QUICK_I2)
| deleting event for #2
"SiteA" #2: deleting state #2 (STATE_QUICK_I2)
| **emit ISAKMP Message:
| initiator cookie:
| 9c 2d 85 03 88 28 00 66
| responder cookie:
| bc 3f d2 07 3d bc a4 00
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 5a 24 44 e0
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_D
| emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 20
| ***emit ISAKMP Delete Payload:
| next payload type: ISAKMP_NEXT_NONE
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 3
| SPI size: 4
| number of SPIs: 1
| emitting 4 raw bytes of delete payload into ISAKMP Delete Payload
| delete payload b6 e9 b1 7d
| emitting length of ISAKMP Delete Payload: 16
| HASH(1) computed:
| bc 32 f8 77 91 10 9c 23 e7 5c b2 65 d5 01 5d 58
| last Phase 1 IV: a5 b7 3d 13 53 0c a9 65
| current Phase 1 IV: a5 b7 3d 13 53 0c a9 65
| computed Phase 2 IV:
| ed d2 23 0b 9d ec 77 f0 19 5d 75 1a 48 7c e5 b1
| encrypting:
| 0c 00 00 14 bc 32 f8 77 91 10 9c 23 e7 5c b2 65
| d5 01 5d 58 00 00 00 10 00 00 00 01 03 04 00 01
| b6 e9 b1 7d
| IV:
| ed d2 23 0b 9d ec 77 f0 19 5d 75 1a 48 7c e5 b1
| unpadded size is: 36
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting 40 using OAKLEY_3DES_CBC
| next IV: 1c 55 05 58 43 43 59 28
| emitting length of ISAKMP Message: 68
| sending 68 bytes for delete notify through eth1:500 to 200.50.14.186:500
(using #1)
| 9c 2d 85 03 88 28 00 66 bc 3f d2 07 3d bc a4 00
| 08 10 05 01 5a 24 44 e0 00 00 00 44 c8 37 16 71
| 2a 5f f8 86 9b 99 f5 e7 76 ad 4b f0 94 ce f5 1f
| b7 98 47 5e fb fe 5e 30 0c 31 fa a0 1c 55 05 58
| 43 43 59 28
| deleting event for #2
| no suspended cryptographic state for 2
| ICOOKIE: 9c 2d 85 03 88 28 00 66
| RCOOKIE: bc 3f d2 07 3d bc a4 00
| state hash entry 24
| delete esp.fa2f6ea4 at 200.50.14.186
| delete inbound eroute 192.168.0.0/22:0 --0-> 192.168.15.0/24:0 =>
unk255.10000 at 189.184.218.234 (raw_eroute)
| creating SPD to 200.50.14.186->spi=00010000 at 189.184.218.234 proto=255
| raw_eroute result=1
| delete esp.b6e9b17d at 189.184.218.234
| processing connection SiteA
"SiteA" #1: deleting state (STATE_MAIN_I4)
| deleting event for #1
"SiteA" #1: deleting state #1 (STATE_MAIN_I4)
| **emit ISAKMP Message:
| initiator cookie:
| 9c 2d 85 03 88 28 00 66
| responder cookie:
| bc 3f d2 07 3d bc a4 00
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 16 ca 13 6f
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_D
| emitting 16 zero bytes of HASH(1) into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 20
| ***emit ISAKMP Delete Payload:
| next payload type: ISAKMP_NEXT_NONE
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| number of SPIs: 1
| emitting 16 raw bytes of delete payload into ISAKMP Delete Payload
| delete payload 9c 2d 85 03 88 28 00 66 bc 3f d2 07 3d bc a4 00
| emitting length of ISAKMP Delete Payload: 28
| HASH(1) computed:
| be 02 17 f0 b0 5c d1 cb aa bb 32 cd e5 53 64 87
| last Phase 1 IV: a5 b7 3d 13 53 0c a9 65
| current Phase 1 IV: a5 b7 3d 13 53 0c a9 65
| computed Phase 2 IV:
| cf 20 07 71 56 98 9e 06 23 b9 2c 73 55 05 1d 60
| encrypting:
| 0c 00 00 14 be 02 17 f0 b0 5c d1 cb aa bb 32 cd
| e5 53 64 87 00 00 00 1c 00 00 00 01 01 10 00 01
| 9c 2d 85 03 88 28 00 66 bc 3f d2 07 3d bc a4 00
| IV:
| cf 20 07 71 56 98 9e 06 23 b9 2c 73 55 05 1d 60
| unpadded size is: 48
| encrypting 48 using OAKLEY_3DES_CBC
| next IV: e8 27 42 28 65 36 75 24
| emitting length of ISAKMP Message: 76
| sending 76 bytes for delete notify through eth1:500 to 200.50.14.186:500
(using #1)
| 9c 2d 85 03 88 28 00 66 bc 3f d2 07 3d bc a4 00
| 08 10 05 01 16 ca 13 6f 00 00 00 4c f3 20 d8 a5
| 58 66 4a 8b d1 95 3f 1a 72 43 22 3f bc aa 7c 64
| 3f a5 e9 f0 ff fd 32 10 45 59 64 f2 9b eb c2 0a
| 9a 2d 39 0f e8 27 42 28 65 36 75 24
| deleting event for #1
| no suspended cryptographic state for 1
| ICOOKIE: 9c 2d 85 03 88 28 00 66
| RCOOKIE: bc 3f d2 07 3d bc a4 00
| state hash entry 24
| request to delete a unrouted policy with netkey kernel --- experimental
| creating SPD to 189.184.218.234->spi=00000000 at 0.0.0.0 proto=61
| creating SPD to 189.184.218.234->spi=00000000 at 0.0.0.0 proto=61
| route owner of "SiteA" unrouted: NULL
| command executing unroute-client
| executing unroute-client: 2>&1 PLUTO_VERB='unroute-client'
PLUTO_VERSION='2.0' PLUTO_CONNECTION='SiteA' PLUTO_INTERFACE='eth1'
PLUTO_NEXT_HOP='189.184.218.233' PLUTO_ME='189.184.218.234'
PLUTO_MY_ID='189.184.218.234' PLUTO_MY_CLIENT='192.168.15.0/24'
PLUTO_MY_CLIENT_NET='192.168.15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='200.50.14.186'
PLUTO_PEER_ID='200.50.14.186' PLUTO_PEER_CLIENT='192.168.0.0/22'
PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEER_CLIENT_MASK='255.255.252.0'
PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA=''
PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK'
PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0'
PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER=''
PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 826 chars long
| cmd( 0):2>&1 PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0'
PLUTO_CONNECTION='SiteA:
| cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='189.184.218.233'
PLUTO_ME='189.184.218.:
| cmd( 160):234' PLUTO_MY_ID='189.184.218.234'
PLUTO_MY_CLIENT='192.168.15.0/24' PLUTO_MY_CL:
| cmd( 240):IENT_NET='192.168.15.0' PLUTO_MY_CLIENT_MASK='255.255.255.0'
PLUTO_MY_PORT='0' P:
| cmd( 320):LUTO_MY_PROTOCOL='0' PLUTO_PEER='200.50.14.186'
PLUTO_PEER_ID='200.50.14.186' :
| cmd( 400):PLUTO_PEER_CLIENT='192.168.0.0/22'
PLUTO_PEER_CLIENT_NET='192.168.0.0' PLUTO_PEE:
| cmd( 480):R_CLIENT_MASK='255.255.252.0' PLUTO_PEER_PORT='0'
PLUTO_PEER_PROTOCOL='0' PLUTO_:
| cmd( 560):PEER_CA='' PLUTO_STACK='netkey'
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+I:
| cmd( 640):KEv2ALLOW+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4'
PLUTO_IS_PEER_CISCO='0' PLU:
| cmd( 720):TO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=''
PLUTO_PEER_BANNER='' PLUTO_NM_CO:
| cmd( 800):NFIGURED='0' ipsec _updown:
| alg_info_delref(0x1b5ccd8) alg_info->ref_cnt=1
| alg_info_delref(0x1b5ccd8) freeing alg_info
| alg_info_delref(0x1b5c460) alg_info->ref_cnt=1
| alg_info_delref(0x1b5c460) freeing alg_info




9. Re: Centos 6.3 ipsec site to site aguardando fase 2 (phase 1 is done, looking for phase 2 to unpend

Estefanio Brunhara
stefaniobrunhara

(usa CentOS)

Enviado em 15/09/2015 - 10:00h

Resolvi o problema com ajuda do Felipe Santos
https://br.groups.yahoo.com/neo/groups/openswan-br/conversations/messages/715

Faltou falar, meus teste foram feitos com o fontes do openswan, mas o rpm embarcado no centos6.3 funciona perfeito.






Patrocínio

Site hospedado pelo provedor RedeHost.
Linux banner

Destaques

Artigos

Dicas

Tópicos

Top 10 do mês

Scripts