Highlighted
New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1
Accepted Solution

ipsec (site-to-site) is not initiating

[ Edited ]

Hello guys,

 

i'm struggling with configuration of IPSEC on ERLite (EdgeOS 1.9.1.1). My vpn is simply not trying to connect at all...

 

the HQ sent me these requirements for succesfull connection to their tunnel (probably some cisco):

 

1st phase of IPSec
Remote VPN gateway IP address:	xxx.xxx.191.223
„Key-exchange“ and authentication mode:	IKE
Negotiation mode: main
Pre-shared key:	****************
Encryption algorithm: AES-256
Integrity-check algorithm: SHA-512
Diffie-Hellman group: 5
SA lifetime: 86400

2nd phase of IPSec(Quickf-mode)
Encapsulation/transport mode: Tunnel-mode
Protection protocol: ESP
Integrity-check protocol: ESP
PFS: group5
SA lifetime (seconds): 3600
SA lifetime (Kbytes): 4608000
Encryption algorithm: AES-256
Integrity-check algorithm: SHA-512
Compression Method: no

 

So here's my configuration on ERLite:

# show vpn
 ipsec {
     disable-uniqreqids
     esp-group upvs {
         compression disable
         lifetime 3600
         mode tunnel
         pfs dh-group5
         proposal 1 {
             encryption aes256
             hash sha512
         }
     }
     ike-group upvs {
         key-exchange ikev1
         lifetime 86400
         mode main
         proposal 1 {
             dh-group 5
             encryption aes256
             hash sha512
         }
     }
     ipsec-interfaces {
         interface eth0
     }
     logging {
         log-level 2
     }
     site-to-site {
         peer xxx.xxx.191.223 {
             authentication {
                 mode pre-shared-secret
                 pre-shared-secret **********
             }
             connection-type initiate
             default-esp-group upvs
             ike-group upvs
             local-address xxx.xxx.189.99
             tunnel 1 {
                 esp-group upvs
                 local {
                     prefix xxx.xxx.23.0/28
                 }
                 remote {
                     prefix xxx.xxx.135.0/24
                 }
             }
         }
     }
 }

after commit/save:

 

$ show vpn log
Jun 16 12:09:55 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
Jun 16 12:12:40 00[DMN] signal of type SIGINT received. Shutting down
Jun 16 12:12:44 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
$ show vpn ipsec sa
$ 
$ show vpn ipsec status
IPSec Process Running PID: 6765

0 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (xxx.xxx.189.99)
$ show vpn debug       
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64):
  uptime: 21 minutes, since Jun 16 12:12:44 2017
  malloc: sbrk 373904, mmap 0, used 258512, free 115392
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
  xxx.xxx.189.99
  xxx.xxx.23.1
  192.168.4.120
Connections:
peer-xxx.xxx.191.223-tunnel-1:  xxx.xxx.189.99...xxx.xxx.191.223  IKEv1
peer-xxx.xxx.191.223-tunnel-1:   local:  [xxx.xxx.189.99] uses pre-shared key authentication
peer-xxx.xxx.191.223-tunnel-1:   remote: [xxx.xxx.191.223] uses pre-shared key authentication
peer-xxx.xxx.191.223-tunnel-1:   child:  xxx.xxx.23.0/28 === xxx.xxx.135.0/24 TUNNEL
Routed Connections:
peer-xxx.xxx.191.223-tunnel-1{1}:  ROUTED, TUNNEL
peer-xxx.xxx.191.223-tunnel-1{1}:   xxx.xxx.23.0/28 === xxx.xxx.135.0/24 
Security Associations (0 up, 0 connecting):
  none

 

Any suggestions would be appreciated.

 

Thank you very much in advance.

 

 

 


Accepted Solutions
New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: ipsec (site-to-site) is not initiating

Thank you for all inputs. The problem was local id and remote id authentification (the remote ipsec router was behind nat). They configured their id as distinguished name. My ID is my public IP.

 

this is my configuration:

 

ipsec {
     esp-group upvs {
         compression disable
         lifetime 3600
         mode tunnel
         pfs dh-group5
         proposal 1 {
             encryption aes256
             hash sha512
         }
     }
     ike-group upvs {
         key-exchange ikev1
         lifetime 86400
         mode main
         proposal 1 {
             dh-group 5
             encryption aes256
             hash sha512
         }
     }
     site-to-site {
         peer xxx.xxx.191.223 {
             authentication {
                 id xxx.xxx.171.98
                 mode pre-shared-secret
                 pre-shared-secret ***********
                 remote-id something@something.something
             }
             connection-type initiate
             default-esp-group upvs
             ike-group upvs
             local-address 192.168.139.199
             tunnel 1 {
                 esp-group upvs
                 local {
                     prefix xxx.xxx.23.0/28
                 }
                 remote {
                     prefix xxx.xxx.135.0/24
                 }
             }
         }
     }
 }

View solution in original post


All Replies
Senior Member
Posts: 2,745
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: ipsec (site-to-site) is not initiating

How is your security policy looks like? Do you allow IKE, ESP, IPSEC protocols to your external interface?
Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: ipsec (site-to-site) is not initiating

[ Edited ]

thank you for your answer. Do you mean firewall policies?

 

Here is my whole configuration

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address xxx.xxx.189.99/29
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        address xxx.xxx.23.1/28
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 192.168.4.120/24
        description "Local 2"
        duplex auto
        speed auto
    }
    loopback lo {
    }
}
service {
    dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on eth2
        }
    }
    gui {
        https-port 443
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
}
system {
    gateway-address xxx.xxx.189.97
    host-name ubnt
    login {
        user somi {
            authentication {
                encrypted-password ****************
            }
            level admin
        }
    }
    name-server 8.8.8.8
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone UTC
}
vpn {
    ipsec {
        disable-uniqreqids
        esp-group upvs {
            compression disable
            lifetime 3600
            mode tunnel
            pfs dh-group5
            proposal 1 {
                encryption aes256
                hash sha512
            }
        }
        ike-group upvs {
            key-exchange ikev1
            lifetime 86400
            mode main
            proposal 1 {
                dh-group 5
                encryption aes256
                hash sha512
            }
        }
        ipsec-interfaces {
            interface eth0
        }
        logging {
            log-level 2
        }
        site-to-site {
            peer xxx.xxx.191.223 {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret ****************
                }
                connection-type initiate
                default-esp-group upvs
                ike-group upvs
                local-address xxx.xxx.189.99
                tunnel 1 {
                    esp-group upvs
                    local {
                        prefix xxx.xxx.23.0/28
                    }
                    remote {
                        prefix xxx.xxx.135.0/24
                    }
                }
            }
        }
    }
}
SuperUser
Posts: 8,758
Registered: ‎01-05-2012
Kudos: 2322
Solutions: 1165

Re: ipsec (site-to-site) is not initiating

Did you try to generate traffic from xxx.xxx.23.1/28 network to the xxx.xxx.135.0/24 network ?
Veteran Member
Posts: 8,104
Registered: ‎03-24-2016
Kudos: 2129
Solutions: 930

Re: ipsec (site-to-site) is not initiating

Your IPSEC config misses the auto-firewall-nat-exclude part, and you didn't configure all rules it creates manually.

 

So interesting traffic   ( xxx.xxx.23.0/28 -> xxx.xxx.135.0/24 ) gets masqueraded, and won't trigger VPN connection.  And incoming IKE requests from remote are firewalled off. 

New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: ipsec (site-to-site) is not initiating

Oh i didnt know i need to make some traffic to actually "start" the vpn... /me keyboard-head-smash

 

so i finally see something in the logs, but can't make any connection to the other side... wrong pre-shared key or something else? I don't have any access on the other side ipsec router, so i can only guess.

 

i also added "auto-firewall-nat-exclude" and did "delete interface ethernet eth0 firewall" (for making sure its not interfere with something), still no luck...

 

some outputs now:

 

 

$ show vpn ipsec sa    
peer-xxx.xxx.191.223-tunnel-1: #1, CONNECTING, IKEv1, 94686f6513a5e769:0000000000000000
  local  '%any' @ xxx.xxx.189.99
  remote '%any' @ xxx.xxx.191.223
  queued:  QUICK_MODE
  active:  ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
$ show vpn ipsec status
IPSec Process Running PID: 6765

0 Active IPsec Tunnels

IPsec Interfaces :
        eth0    (xxx.xxx.189.99)
$ show vpn debug
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64):
  uptime: 20 hours, since Jun 16 12:12:44 2017
  malloc: sbrk 373904, mmap 0, used 266432, free 107472
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr ccm gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
  xxx.xxx.189.99
  xxx.xxx.23.1
  192.168.4.120
Connections:
peer-xxx.xxx.191.223-tunnel-1:  xxx.xxx.189.99...xxx.xxx.191.223  IKEv1
peer-xxx.xxx.191.223-tunnel-1:   local:  [xxx.xxx.189.99] uses pre-shared key authentication
peer-xxx.xxx.191.223-tunnel-1:   remote: [xxx.xxx.191.223] uses pre-shared key authentication
peer-xxx.xxx.191.223-tunnel-1:   child:  xxx.xxx.23.0/28 === xxx.xxx.135.0/24 TUNNEL
Routed Connections:
peer-xxx.xxx.191.223-tunnel-1{1}:  ROUTED, TUNNEL
peer-xxx.xxx.191.223-tunnel-1{1}:   xxx.xxx.23.0/28 === xxx.xxx.135.0/24 
Security Associations (1 up, 0 connecting):
peer-xxx.xxx.191.223-tunnel-1[1]: CONNECTING, xxx.xxx.189.99[%any]...xxx.xxx.191.223[%any]
peer-xxx.xxx.191.223-tunnel-1[1]: IKEv1 SPIs: 94686f6513a5e769_i* 0000000000000000_r
peer-xxx.xxx.191.223-tunnel-1[1]: Tasks queued: QUICK_MODE 
peer-xxx.xxx.191.223-tunnel-1[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
$ show vpn log 
Jun 16 12:09:55 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
Jun 16 12:12:40 00[DMN] signal of type SIGINT received. Shutting down
Jun 16 12:12:44 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.20-UBNT, mips64)
Jun 17 08:36:42 05[KNL] creating acquire job for policy xxx.xxx.23.1/32[udp/60134] === xxx.xxx.135.1/32[udp/1025] with reqid {1}
Jun 17 08:36:42 03[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:39:27 16[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:42:12 04[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:44:43 16[KNL] creating acquire job for policy xxx.xxx.23.1/32[udp/36831] === xxx.xxx.135.126/32[udp/1025] with reqid {1}
Jun 17 08:44:57 04[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:47:42 13[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:48:54 16[KNL] creating acquire job for policy xxx.xxx.23.10/32[icmp] === xxx.xxx.135.35/32[icmp] with reqid {1}
Jun 17 08:50:27 03[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:53:12 01[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223
Jun 17 08:55:57 01[IKE] <peer-xxx.xxx.191.223-tunnel-1|1> initiating Main Mode IKE_SA peer-xxx.xxx.191.223-tunnel-1[1] to xxx.xxx.191.223

 

New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: ipsec (site-to-site) is not initiating

there is some policy routing output too...

 

$ show vpn ipsec policy 
src xxx.xxx.135.0/24 dst xxx.xxx.23.0/28 
        dir fwd priority 5939 
        tmpl src xxx.xxx.191.223 dst xxx.xxx.189.99
                proto esp reqid 1 mode tunnel
src xxx.xxx.135.0/24 dst xxx.xxx.23.0/28 
        dir in priority 5939 
        tmpl src xxx.xxx.191.223 dst xxx.xxx.189.99
                proto esp reqid 1 mode tunnel
src xxx.xxx.23.0/28 dst xxx.xxx.135.0/24 
        dir out priority 5939 
        tmpl src xxx.xxx.189.99 dst xxx.xxx.191.223
                proto esp reqid 1 mode tunnel
Senior Member
Posts: 2,745
Registered: ‎04-21-2015
Kudos: 406
Solutions: 108

Re: ipsec (site-to-site) is not initiating

Sorry cannot check this properly as I am not at home. I would suggest enabling Ike and chn logs under logging settings and make sure that the remote side is initiation a connection ( put your site in the passive mode). This way you will be responder hence all logs will be written at your side and give you more information.
Thanks,
Myky
CWNA
--------------------------------------------------------------------------------------------------------------------------------------------------
Don`t blame the device as it`s always doing what you have asked it to do, this is not always the same as what you want.
SuperUser
Posts: 8,758
Registered: ‎01-05-2012
Kudos: 2322
Solutions: 1165

Re: ipsec (site-to-site) is not initiating

[ Edited ]

Add the command pointed by @16again

Spoiler
$ configure
# set vpn ipsec auto-firewall-nat-exclude enable
# commit
# save
# exit
$ restart vpn

Then try to generate traffic from xxx.xxx.23.0/28 to xxx.xxx.135.0/24
Cheers,
jonatha

New Member
Posts: 18
Registered: ‎04-09-2014
Kudos: 2
Solutions: 1

Re: ipsec (site-to-site) is not initiating

Thank you for all inputs. The problem was local id and remote id authentification (the remote ipsec router was behind nat). They configured their id as distinguished name. My ID is my public IP.

 

this is my configuration:

 

ipsec {
     esp-group upvs {
         compression disable
         lifetime 3600
         mode tunnel
         pfs dh-group5
         proposal 1 {
             encryption aes256
             hash sha512
         }
     }
     ike-group upvs {
         key-exchange ikev1
         lifetime 86400
         mode main
         proposal 1 {
             dh-group 5
             encryption aes256
             hash sha512
         }
     }
     site-to-site {
         peer xxx.xxx.191.223 {
             authentication {
                 id xxx.xxx.171.98
                 mode pre-shared-secret
                 pre-shared-secret ***********
                 remote-id something@something.something
             }
             connection-type initiate
             default-esp-group upvs
             ike-group upvs
             local-address 192.168.139.199
             tunnel 1 {
                 esp-group upvs
                 local {
                     prefix xxx.xxx.23.0/28
                 }
                 remote {
                     prefix xxx.xxx.135.0/24
                 }
             }
         }
     }
 }