0

We are communicating with one of our clients over a VPN Tunnel.

Openswan tunnel was working perfectly fine before. Today we attached an Elastic IP to the server and rebooted. Since then the tunnel is not starting up.

These are the steps we have performed:

  1. Asked the client to update our new IP at their end - DONE

  2. Update the ipsec.config at our end - DONE (Here is the new file)

    nat_traversal=yes
    oe=off
    protostack=netkey
    interfaces="%defaultroute"       
    conn customer
            type=tunnel
            authby=secret
            left=%defaultroute
            leftid=52.24.154.45 <elastic-ip>
            leftsourceip=172.31.38.203 <internal-ip>
            leftnexthop=%defaultroute
            leftsubnet=172.31.0.0/16
            right=<client-public-ip>
            rightid=<client-public-ip>
            rightsubnet=<clients-subnet>
            phase2=esp
            phase2alg=3des-md5;modp1024
            ike=3des-md5;modp1024!
            ikelifetime=480m
            pfs=no
            auto=start
            rekey=yes
            keyingtries=%forever
    
  3. ipsec.secrets - No modifications required

      include /var/lib/openswan/ipsec.secrets.inc
      <client-public-ip> 0.0.0.0 %any: PSK "xxxxxxxxxxxxxx"
    
  4. iptables -L

  5. iptables -t nat -L

  6. ipsec auto --status

    000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 52.24.154.45 000 interface eth0/eth0 52.24.154.45 000 %myid = (none) 000 debug none 000
    000 virtual_private (%priv): 000 - allowed 7 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 203.201.213.0/24, fd00::/8, fe80::/10 000 - disallowed 0 subnets: 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use, it should be excluded! 000
    000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000
    000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048} 000
    000 "customer": 172.31.0.0/16===172.31.38.203[52.24.154.45]---172.31.32.1...203.201.209.98<203.201.209.98>===203.201.213.0/24; prospective erouted; eroute owner: #0 000 "customer": myip=172.31.38.203; hisip=unset; 000 "customer": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "customer": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0; 000 "customer": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "customer": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=strict 000 "customer": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) 000 "customer": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict 000 "customer": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000
    000 #2: "customer":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 33s; nodpd; idle; import:admin initiate 000 #2: pending Phase 2 for "customer" replacing #0 000

  7. tail /var/log/auth.log

    Jan 11 20:10:57 ip-172-31-38-203 ipsec__plutorun: Starting Pluto subsystem... Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:27458 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: LEAK_DETECTIVE support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: OCF support for IKE [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAref support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAbind support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NSS support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: HAVE_STATSD notification support not compiled in Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Setting NAT-Traversal port-4500 floating to on Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: port floating activation criteria nat_t=1/port_float=1 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NAT-Traversal support [enabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: starting up 1 cryptographic helpers Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: started helper pid=27460 (fd:6) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Using Linux 2.6 IPsec interface code on 3.13.0-36-generic (experimental code) Jan 11 20:10:57 ip-172-31-38-203 pluto[27460]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: added connection description "customer" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: listening for IKE messages Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo ::1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/etc/ipsec.secrets" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: initiating Main Mode Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: ignoring Vendor ID payload [FRAGMENTATION] Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 11 20:12:01 ip-172-31-38-203 pluto[27458]: initiate on demand from 172.31.38.203:0 to 203.201.213.58:80 proto=6 state: fos_start because: acquire Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: starting keying attempt 2 of an unlimited number

As you can see in the last few line, the problem is:

"customer" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message

Can someone guide us in the right direction? We have tried almost every possible combination of Secret file and IPSec Config.

1 Answer 1

1

Not sure, if it relevant any more, but we are regularly experiencing similar errors on our VPN server (also hosted on AWS).

Normally restarting the services with these commands solves the problem:

  • /etc/init.d/ipsec restart
  • /etc/init.d/xl2tpd restart

But I don't know why this is happening in the first place. Sometimes the VPN tunnel collapses while being in use and only restarting it makes a connection possible again

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .