Solved

ASTARO Hardware Firewall SITE-TO-SITE VPN

Posted on 2012-12-29
11
1,241 Views
Last Modified: 2012-12-31
I have 2 cites and both sides has astaro hardware firewall v7.
Bothsides:
firware version:7.512
AES-256
 RSA key

I configured on the astaro city one(HQ)site-to-site VPN and the other City(our branch-1) too. They nearly one year worked witout Problem But sudennly something happend and stop connection between HQ and OUR BRANCH-1. 2 weeks ago both sites started sometimes lose connections .NOW NO MORE CONNECTIONS ANY MORE.

when lose connections then i look HQ astaro admin page->site-to-site VPN
site-to-site VPN our_Branch-1the status RED.
no connectionBut IPSec section is Green.
IPsec green
any idea please?
Thanks
0
Comment
Question by:apollo-13
  • 7
  • 4
11 Comments
 

Author Comment

by:apollo-13
ID: 38730344
I am not sure that Log message can give idea?

2012:12:21-20:48:26 pluto[6124]: "S_REF_mXgVgYJEgW_0"[2] 210.185.50.150#85: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa2911282) not found (maybe expired)
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38730714
Ah, da is' ja der Apollo wieder ...

Looks like something in Phase 2 goes wrong. The SA Delete notif might come some time after the tunnel started negotiation - then the lifetimes are not the same on each side. If it comes shortly after initiation of the connection, one or more of the encryption/hash/DH settings, or Proxy IDs, are different.
If you do not have more in your logs, you should watch if the tunnel is up for more than one or two minutes after you re-initiate it. And you should have the log of the other site, of course.
By all means you should try to increase the log level, to get anything useful for troubleshooting. Usually you have to watch both sites to get a picture.
0
 

Author Comment

by:apollo-13
ID: 38730717
Hi Qlemo
thanks for answer.
0
 

Author Comment

by:apollo-13
ID: 38730749
unfortunalitly i cant connect to see logs on the other side. Actually this connection lost problem happend after up2date firmware updated.
Here is the LIVE LOGS :
Live-Protokoll: IPSec-VPN
2012:12:30-13:16:04 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:16:04 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:56:02 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:56:02 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:11:05 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:11:06 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:32:56 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:32:56 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:04 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:04 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:55 astaro-2 pluto[851]: "S_Site_to_Site_Branch-1": deleting connection
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:55 astaro-2 pluto[851]: forgetting secrets
2012:12:30-14:33:55 astaro-2 pluto[851]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:33:55 astaro-2 pluto[851]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down
2012:12:30-14:33:56 astaro-1 pluto[9488]: forgetting secrets
2012:12:30-14:33:56 astaro-1 pluto[9488]: "S_Site_to_Site_Branch-1": deleting connection
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: "S_Site_to_Site_Branch-1_Test": deleting connection
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down
2012:12:30-14:33:58 astaro-2 pluto[851]: forgetting secrets
2012:12:30-14:33:58 astaro-2 pluto[851]: "S_Site_to_Site_Branch-1_Test": deleting connection
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:34:14 astaro-1 ipsec_starter[16733]: Starting strongSwan 4.2.3 IPsec [starter]...
2012:12:30-14:34:14 astaro-1 ipsec_starter[16744]: IP address or index of physical interface changed -> reinit of ipsec interface
2012:12:30-14:34:15 astaro-2 ipsec_starter[7456]: Starting strongSwan 4.2.3 IPsec [starter]...
2012:12:30-14:34:15 astaro-2 ipsec_starter[7467]: IP address or index of physical interface changed -> reinit of ipsec interface
2012:12:30-14:34:16 astaro-1 ipsec_starter[16744]: pluto too long to start... - kill kill
2012:12:30-14:34:16 astaro-1 ipsec_starter[16744]: pluto has died -- restart scheduled (5sec)
2012:12:30-14:34:16 astaro-2 pluto[7484]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2012:12:30-14:34:16 astaro-2 pluto[7484]: including NAT-Traversal patch (Version 0.6c)
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: Testing registered IKE encryption algorithms:
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_DES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_BLOWFISH_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_3DES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_AES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SERPENT_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_TWOFISH_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_TWOFISH_CBC_SSH self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: Testing registered IKE hash algorithms:
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 6: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_MD5 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_MD5 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_256 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_256 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_384 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_384 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_512 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_512 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: All crypto self-tests passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: Using KLIPS IPsec interface code
2012:12:30-14:34:16 astaro-2 pluto[7484]: HA system enabled and listen on interface eth3
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:34:16 astaro-2 pluto[7484]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:34:16 astaro-2 pluto[7484]: HA System active! Switch to Master mode to listen for IKE messages
2012:12:30-14:34:16 astaro-2 pluto[7484]: adding interface ipsec0/eth1 61.150.145.70:500
2012:12:30-14:34:16 astaro-2 pluto[7484]: adding interface ipsec0/eth1 61.150.145.70:4500
2012:12:30-14:34:16 astaro-2 pluto[7484]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | esp string values: 12_256-1,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | ike string values: 7_256-1-5,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: added connection description "S_Site_to_Site_Branch-1_Test"
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | esp string values: 12_256-1,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | ike string values: 7_256-1-5,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: added connection description "S_Site_to_Site_Branch-1"
2012:12:30-14:34:16 astaro-2 pluto[7484]: Pluto is now Slave
2012:12:30-14:34:21 astaro-1 pluto[16850]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2012:12:30-14:34:21 astaro-1 pluto[16850]: including NAT-Traversal patch (Version 0.6c)
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: Testing registered IKE encryption algorithms:
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_DES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_BLOWFISH_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_3DES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_AES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SERPENT_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_TWOFISH_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_TWOFISH_CBC_SSH self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: Testing registered IKE hash algorithms:
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 6: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_MD5 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_MD5 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_256 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_256 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_384 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_384 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_512 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_512 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: All crypto self-tests passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: Using KLIPS IPsec interface code
2012:12:30-14:34:21 astaro-1 pluto[16850]: HA system enabled and listen on interface eth3
2012:12:30-14:34:21 astaro-1 pluto[16850]: Initial HA switch to Master mode
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:34:21 astaro-1 pluto[16850]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:34:21 astaro-1 pluto[16850]: listening for IKE messages
2012:12:30-14:34:21 astaro-1 pluto[16850]: adding interface ipsec0/eth1 61.150.145.70:500
2012:12:30-14:34:21 astaro-1 pluto[16850]: adding interface ipsec0/eth1 61.150.145.70:4500
2012:12:30-14:34:21 astaro-1 pluto[16850]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | esp string values: 12_256-1,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | ike string values: 7_256-1-5,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: added connection description "S_Site_to_Site_Branch-1_Test"
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | esp string values: 12_256-1,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | ike string values: 7_256-1-5,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: added connection description "S_Site_to_Site_Branch-1"
2012:12:30-14:34:21 astaro-1 pluto[16850]: HA System: Pluto is already in Master mode
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38730765
That log is just talking about the boot process. No hint to info in regard of establishing a connection.

It is always a good idea to have a fallback remote access method, like TeamViewer or direct RDP, in case the VPN does not come up.

Anyway, if you try to initiate traffic from HQ to Branch-1, e.g. by pinging a remote IP, you should see something more in the logs. I'm certain strongSwan supports log levels to provide more detail, but I have no knowledge about that Open Source IPSec VPN software, and any Astaro-specific implementation of it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:apollo-13
ID: 38730839
no ping and Teamwiever works unfortunatily ,today i tried all options. :)
0
 

Author Comment

by:apollo-13
ID: 38730848
Is the both sides must be  the same firmware? Because my is not.After updated firmware on the HQ side then lost connections.
0
 

Author Comment

by:apollo-13
ID: 38730992
i got this info:
ERROR: asynchronous network error report on eth1 for message to 212.40.85.14 port 500, complainant 212.40.85.14: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38731424
Usually a Firmware upgrade should not lead to communication issues - but that depends on whether there have been wiped out some inconsistencies leading to vulnerability, or something similar. Making both Astaro having the same Firmware would be my first approach in this case.

The other stuff doesn't tell anything more.
0
 

Author Comment

by:apollo-13
ID: 38731886
ok thanks ,i will try
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 38732328
Thanks for accepting, but strictly seen, it is too early to do that, as the issue is not resolved yet. I'll continue to monitor this thread, and am able to reopen it if needed. Please post back whether the Firmware upgrade worked out for you.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now