We are communicating with one of our clients over a VPN Tunnel.
Openswan tunnel was working perfectly fine before. Today we attached an Elastic IP to the server and rebooted. Since then the tunnel is not starting up.
These are the steps we have performed:
Asked the client to update our new IP at their end - DONE
Update the ipsec.config at our end - DONE (Here is the new file)
nat_traversal=yes oe=off protostack=netkey interfaces="%defaultroute" conn customer type=tunnel authby=secret left=%defaultroute leftid=52.24.154.45 <elastic-ip> leftsourceip=172.31.38.203 <internal-ip> leftnexthop=%defaultroute leftsubnet=172.31.0.0/16 right=<client-public-ip> rightid=<client-public-ip> rightsubnet=<clients-subnet> phase2=esp phase2alg=3des-md5;modp1024 ike=3des-md5;modp1024! ikelifetime=480m pfs=no auto=start rekey=yes keyingtries=%foreveripsec.secrets - No modifications required
include /var/lib/openswan/ipsec.secrets.inc <client-public-ip> 0.0.0.0 %any: PSK "xxxxxxxxxxxxxx"ipsec auto --status
000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 52.24.154.45 000 interface eth0/eth0 52.24.154.45 000 %myid = (none) 000 debug none 000
000 virtual_private (%priv): 000 - allowed 7 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 203.201.213.0/24, fd00::/8, fe80::/10 000 - disallowed 0 subnets: 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use, it should be excluded! 000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048} 000
000 "customer": 172.31.0.0/16===172.31.38.203[52.24.154.45]---172.31.32.1...203.201.209.98<203.201.209.98>===203.201.213.0/24; prospective erouted; eroute owner: #0 000 "customer": myip=172.31.38.203; hisip=unset; 000 "customer": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "customer": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0; 000 "customer": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "customer": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=strict 000 "customer": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) 000 "customer": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict 000 "customer": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000
000 #2: "customer":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 33s; nodpd; idle; import:admin initiate 000 #2: pending Phase 2 for "customer" replacing #0 000tail /var/log/auth.log
Jan 11 20:10:57 ip-172-31-38-203 ipsec__plutorun: Starting Pluto subsystem... Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:27458 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: LEAK_DETECTIVE support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: OCF support for IKE [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAref support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAbind support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NSS support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: HAVE_STATSD notification support not compiled in Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Setting NAT-Traversal port-4500 floating to on Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: port floating activation criteria nat_t=1/port_float=1 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NAT-Traversal support [enabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: starting up 1 cryptographic helpers Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: started helper pid=27460 (fd:6) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Using Linux 2.6 IPsec interface code on 3.13.0-36-generic (experimental code) Jan 11 20:10:57 ip-172-31-38-203 pluto[27460]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: added connection description "customer" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: listening for IKE messages Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo ::1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/etc/ipsec.secrets" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: initiating Main Mode Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: ignoring Vendor ID payload [FRAGMENTATION] Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 11 20:12:01 ip-172-31-38-203 pluto[27458]: initiate on demand from 172.31.38.203:0 to 203.201.213.58:80 proto=6 state: fos_start because: acquire Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: starting keying attempt 2 of an unlimited number
As you can see in the last few line, the problem is:
"customer" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
Can someone guide us in the right direction? We have tried almost every possible combination of Secret file and IPSec Config.
