IPsec Tunnel not Establishing
-
Check if the IP addresses used are part of spoof addresses when DDOS is enabled on the WAN Interface
- This use case is when the Network Appliance WANs are on a private address space of IP address and not directly facing the Internet. If so, navigate to the Security->DDOS page and remove the private address range from spoof address list.
-
Check the Remote IP addresses are reachable.
- Use the ping option on the Utility page to verify the same
-
Check the ports used (500 & 4500 or custom remote port) for the Tunnel creation are opened.
- In a use-case where there is a router in front of the Network Appliance, a port forward configuration should be enabled on that router to direct the ports to the respective WAN on the Network Appliance. The firewall configuration on that router should also open up the ports.
-
Encryption and IKE algorithms should match on both ends.
- Verify the same by comparing the tunnel information on both ends using the "Info" icon on the respective tunnel.
-
Local LAN and Tunnel subnets should be specified in the allowed subnets.
-
Make sure the certificates have not expired
- Verify the Status by navigating to the Security->x509 page for the respective certificates used.
-
If using custom HOST certificates, make sure the CA certificate who has issued the HOST certificates is imported on both ends.
-
Make sure the interface for the LAN subnets advertised in local subnets are enabled
Advanced Debugging options
Enable IPsec logs on the EC
- IPsec logs are by default disabled on the EC due to flooding of log messages for even the lowest reporting level. To enable them use the secure shell and enter into the console. This operation is to be performed only by Amzetta Support.
Edit the file /etc/strongswan.d/charon-logging.conf. Change the default loglevel option from -1 to 1 under charon -> filelog -> /var/log/ipsec.log
# Default loglevel.
default = 1
Save the file. Send a SIGHUP signal to the charon daemon
kill -SIGHUP `pidof charon`
Disable IPsec logs on the EC
To disable the log after debugging change the default loglevel back to -1 and send the SIGHUP to the charon daemon
Debugging IPsec logs
Mismatching algorithms
Example 1
May 31 15:26:49 13[CFG] received stroke: add connection 'IPSEC02'
May 31 15:26:49 13[CFG] a PRF algorithm is mandatory in IKE proposals
May 31 15:26:49 13[CFG] skipped invalid proposal string: aes256gcm16-aes256gmac-modp4096
May 31 15:26:49 08[CFG] received stroke: route 'IPSEC02'
May 31 15:26:49 08[CFG] no config named 'IPSEC02'
May 31 15:26:49 06[CFG] received stroke: initiate 'IPSEC02'
May 31 15:26:49 06[CFG] no config named 'IPSEC02'
Example 2
Jun 3 12:53:03 01[NET] <5> received packet: from 10.132.0.4[500] to 10.132.0.3[500] (584 bytes)
Jun 3 12:53:03 01[ENC] <5> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 3 12:53:03 01[IKE] <5> 10.132.0.4 is initiating an IKE_SA
Jun 3 12:53:03 01[CFG] <5> received proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_3072
Jun 3 12:53:03 01[CFG] <5> configured proposals: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_256/MODP_4096
Jun 3 12:53:03 01[IKE] <5> remote host is behind NAT
Jun 3 12:53:03 01[IKE] <5> received proposals unacceptable
Jun 3 12:53:03 01[ENC] <5> generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 3 12:53:27 10[IKE] initiating IKE_SA IPSEC00[419] to 10.132.0.3
Jun 3 12:53:27 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 3 12:53:27 10[NET] sending packet: from 10.132.0.4[500] to 10.132.0.3[500] (584 bytes)
Jun 3 12:53:27 11[NET] received packet: from 10.132.0.3[500] to 10.132.0.4[500] (36 bytes)
Jun 3 12:53:27 11[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jun 3 12:53:27 11[IKE] received NO_PROPOSAL_CHOSEN notify error
Jun 3 12:53:51 07[ENC] parsed CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Jun 3 12:53:51 07[CFG] received proposals: ESP:AES_GCM_16_256/MODP_3072/NO_EXT_SEQ
Jun 3 12:53:51 07[CFG] configured proposals: ESP:AES_GCM_16_256/MODP_4096/NO_EXT_SEQ
Jun 3 12:53:51 07[IKE] no acceptable proposal found
Jun 3 12:53:51 07[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 3 12:53:51 07[ENC] generating CREATE_CHILD_SA response 0 [ N(NO_PROP) ]
Example 3 : Encryption algorithms not matching
Jun 3 13:04:47 13[IKE] establishing CHILD_SA IPSEC00{1558}
Jun 3 13:04:47 13[ENC] generating CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
Jun 3 13:04:47 13[NET] sending packet: from 10.132.0.4[4500] to 10.132.0.3[4500] (721 bytes)
Jun 3 13:04:47 15[NET] received packet: from 10.132.0.3[4500] to 10.132.0.4[4500] (65 bytes)
Jun 3 13:04:47 15[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Jun 3 13:04:47 15[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Jun 3 13:04:47 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
Remote IP has changed but branch still pointing to old IP
Feb 23 17:56:07 08[IKE] initiating IKE_SA IPS01azbu0o01[33] to 172.31.2.77
Feb 23 17:56:07 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 23 17:56:07 08[NET] sending packet: from 172.31.2.64[500] to 172.31.2.77[500] (592 bytes)
Feb 23 17:56:07 14[NET] received packet: from 172.31.2.77[500] to 172.31.2.64[500] (36 bytes)
Feb 23 17:56:07 14[ENC] parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
Feb 23 17:56:07 14[IKE] received NO_PROPOSAL_CHOSEN notify error
CA Certificate missing
Feb 23 17:36:28 15[CFG] using certificate "C=US, ST=Georgia, L=Norcross, O=admin, OU=CPE Unit, CN=c-Bqc5_4e8u4a_WAN00_dio8u, [email protected]"
Feb 23 17:36:28 15[CFG] no issuer certificate found for "C=US, ST=Georgia, L=Norcross, O=admin, OU=CPE Unit, CN=c-Bqc5_4e8u4a_WAN00_dio8u, [email protected]"
Feb 23 17:36:28 15[CFG] issuer is "C=US, ST=Georgia, L=Norcross, O=zwan-tenant, OU=CPE Unit, CN=zwan-tenant, [email protected]"
Feb 23 17:36:28 15[IKE] no trusted RSA public key found for 'C=US, ST=Georgia, L=Norcross, O=admin, OU=CPE Unit, CN=c-Bqc5_4e8u4a_WAN00_dio8u, [email protected]'
Feb 23 17:36:28 15[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Known Restrictions
-
IKEv1 is not supported as it does not support multiple source IP ranges / subnets as part of the allowed subnet field
-
NAT and Compression are not supported when using IPsec in AH mode