Solved

ASTARO Hardware Firewall SITE-TO-SITE VPN

Posted on 2012-12-29
11
1,259 Views
Last Modified: 2012-12-31
I have 2 cites and both sides has astaro hardware firewall v7.
Bothsides:
firware version:7.512
AES-256
 RSA key

I configured on the astaro city one(HQ)site-to-site VPN and the other City(our branch-1) too. They nearly one year worked witout Problem But sudennly something happend and stop connection between HQ and OUR BRANCH-1. 2 weeks ago both sites started sometimes lose connections .NOW NO MORE CONNECTIONS ANY MORE.

when lose connections then i look HQ astaro admin page->site-to-site VPN
site-to-site VPN our_Branch-1the status RED.
no connectionBut IPSec section is Green.
IPsec green
any idea please?
Thanks
0
Comment
Question by:apollo-13
  • 7
  • 4
11 Comments
 

Author Comment

by:apollo-13
ID: 38730344
I am not sure that Log message can give idea?

2012:12:21-20:48:26 pluto[6124]: "S_REF_mXgVgYJEgW_0"[2] 210.185.50.150#85: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa2911282) not found (maybe expired)
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 38730714
Ah, da is' ja der Apollo wieder ...

Looks like something in Phase 2 goes wrong. The SA Delete notif might come some time after the tunnel started negotiation - then the lifetimes are not the same on each side. If it comes shortly after initiation of the connection, one or more of the encryption/hash/DH settings, or Proxy IDs, are different.
If you do not have more in your logs, you should watch if the tunnel is up for more than one or two minutes after you re-initiate it. And you should have the log of the other site, of course.
By all means you should try to increase the log level, to get anything useful for troubleshooting. Usually you have to watch both sites to get a picture.
0
 

Author Comment

by:apollo-13
ID: 38730717
Hi Qlemo
thanks for answer.
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 

Author Comment

by:apollo-13
ID: 38730749
unfortunalitly i cant connect to see logs on the other side. Actually this connection lost problem happend after up2date firmware updated.
Here is the LIVE LOGS :
Live-Protokoll: IPSec-VPN
2012:12:30-13:16:04 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:16:04 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:56:02 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:56:02 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:11:05 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:11:06 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:32:56 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:32:56 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:04 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:04 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:55 astaro-2 pluto[851]: "S_Site_to_Site_Branch-1": deleting connection
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:55 astaro-2 pluto[851]: forgetting secrets
2012:12:30-14:33:55 astaro-2 pluto[851]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:33:55 astaro-2 pluto[851]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down
2012:12:30-14:33:56 astaro-1 pluto[9488]: forgetting secrets
2012:12:30-14:33:56 astaro-1 pluto[9488]: "S_Site_to_Site_Branch-1": deleting connection
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: "S_Site_to_Site_Branch-1_Test": deleting connection
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down
2012:12:30-14:33:58 astaro-2 pluto[851]: forgetting secrets
2012:12:30-14:33:58 astaro-2 pluto[851]: "S_Site_to_Site_Branch-1_Test": deleting connection
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:34:14 astaro-1 ipsec_starter[16733]: Starting strongSwan 4.2.3 IPsec [starter]...
2012:12:30-14:34:14 astaro-1 ipsec_starter[16744]: IP address or index of physical interface changed -> reinit of ipsec interface
2012:12:30-14:34:15 astaro-2 ipsec_starter[7456]: Starting strongSwan 4.2.3 IPsec [starter]...
2012:12:30-14:34:15 astaro-2 ipsec_starter[7467]: IP address or index of physical interface changed -> reinit of ipsec interface
2012:12:30-14:34:16 astaro-1 ipsec_starter[16744]: pluto too long to start... - kill kill
2012:12:30-14:34:16 astaro-1 ipsec_starter[16744]: pluto has died -- restart scheduled (5sec)
2012:12:30-14:34:16 astaro-2 pluto[7484]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2012:12:30-14:34:16 astaro-2 pluto[7484]: including NAT-Traversal patch (Version 0.6c)
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: Testing registered IKE encryption algorithms:
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_DES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_BLOWFISH_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_3DES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_AES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SERPENT_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_TWOFISH_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_TWOFISH_CBC_SSH self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: Testing registered IKE hash algorithms:
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 6: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_MD5 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_MD5 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_256 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_256 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_384 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_384 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_512 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_512 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: All crypto self-tests passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: Using KLIPS IPsec interface code
2012:12:30-14:34:16 astaro-2 pluto[7484]: HA system enabled and listen on interface eth3
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:34:16 astaro-2 pluto[7484]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:34:16 astaro-2 pluto[7484]: HA System active! Switch to Master mode to listen for IKE messages
2012:12:30-14:34:16 astaro-2 pluto[7484]: adding interface ipsec0/eth1 61.150.145.70:500
2012:12:30-14:34:16 astaro-2 pluto[7484]: adding interface ipsec0/eth1 61.150.145.70:4500
2012:12:30-14:34:16 astaro-2 pluto[7484]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | esp string values: 12_256-1,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | ike string values: 7_256-1-5,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: added connection description "S_Site_to_Site_Branch-1_Test"
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | esp string values: 12_256-1,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | ike string values: 7_256-1-5,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: added connection description "S_Site_to_Site_Branch-1"
2012:12:30-14:34:16 astaro-2 pluto[7484]: Pluto is now Slave
2012:12:30-14:34:21 astaro-1 pluto[16850]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2012:12:30-14:34:21 astaro-1 pluto[16850]: including NAT-Traversal patch (Version 0.6c)
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: Testing registered IKE encryption algorithms:
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_DES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_BLOWFISH_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_3DES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_AES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SERPENT_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_TWOFISH_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_TWOFISH_CBC_SSH self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: Testing registered IKE hash algorithms:
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 6: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_MD5 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_MD5 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_256 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_256 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_384 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_384 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_512 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_512 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: All crypto self-tests passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: Using KLIPS IPsec interface code
2012:12:30-14:34:21 astaro-1 pluto[16850]: HA system enabled and listen on interface eth3
2012:12:30-14:34:21 astaro-1 pluto[16850]: Initial HA switch to Master mode
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:34:21 astaro-1 pluto[16850]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:34:21 astaro-1 pluto[16850]: listening for IKE messages
2012:12:30-14:34:21 astaro-1 pluto[16850]: adding interface ipsec0/eth1 61.150.145.70:500
2012:12:30-14:34:21 astaro-1 pluto[16850]: adding interface ipsec0/eth1 61.150.145.70:4500
2012:12:30-14:34:21 astaro-1 pluto[16850]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | esp string values: 12_256-1,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | ike string values: 7_256-1-5,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: added connection description "S_Site_to_Site_Branch-1_Test"
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | esp string values: 12_256-1,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | ike string values: 7_256-1-5,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: added connection description "S_Site_to_Site_Branch-1"
2012:12:30-14:34:21 astaro-1 pluto[16850]: HA System: Pluto is already in Master mode
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 38730765
That log is just talking about the boot process. No hint to info in regard of establishing a connection.

It is always a good idea to have a fallback remote access method, like TeamViewer or direct RDP, in case the VPN does not come up.

Anyway, if you try to initiate traffic from HQ to Branch-1, e.g. by pinging a remote IP, you should see something more in the logs. I'm certain strongSwan supports log levels to provide more detail, but I have no knowledge about that Open Source IPSec VPN software, and any Astaro-specific implementation of it.
0
 

Author Comment

by:apollo-13
ID: 38730839
no ping and Teamwiever works unfortunatily ,today i tried all options. :)
0
 

Author Comment

by:apollo-13
ID: 38730848
Is the both sides must be  the same firmware? Because my is not.After updated firmware on the HQ side then lost connections.
0
 

Author Comment

by:apollo-13
ID: 38730992
i got this info:
ERROR: asynchronous network error report on eth1 for message to 212.40.85.14 port 500, complainant 212.40.85.14: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38731424
Usually a Firmware upgrade should not lead to communication issues - but that depends on whether there have been wiped out some inconsistencies leading to vulnerability, or something similar. Making both Astaro having the same Firmware would be my first approach in this case.

The other stuff doesn't tell anything more.
0
 

Author Comment

by:apollo-13
ID: 38731886
ok thanks ,i will try
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 38732328
Thanks for accepting, but strictly seen, it is too early to do that, as the issue is not resolved yet. I'll continue to monitor this thread, and am able to reopen it if needed. Please post back whether the Firmware upgrade worked out for you.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question