Solved

ASTARO Hardware Firewall SITE-TO-SITE VPN

Posted on 2012-12-29
11
1 solution
1,263 Views
Last Modified: 2012-12-31
I have 2 cites and both sides has astaro hardware firewall v7.
Bothsides:
firware version:7.512
AES-256
 RSA key

I configured on the astaro city one(HQ)site-to-site VPN and the other City(our branch-1) too. They nearly one year worked witout Problem But sudennly something happend and stop connection between HQ and OUR BRANCH-1. 2 weeks ago both sites started sometimes lose connections .NOW NO MORE CONNECTIONS ANY MORE.

when lose connections then i look HQ astaro admin page->site-to-site VPN
site-to-site VPN our_Branch-1the status RED.
no connectionBut IPSec section is Green.
IPsec green
any idea please?
Thanks
0
Comment
Question by:apollo-13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Join The Community
  • 7
  • 4
11 Comments
 

Author Comment

by:apollo-13
ID: 38730344
I am not sure that Log message can give idea?

2012:12:21-20:48:26 pluto[6124]: "S_REF_mXgVgYJEgW_0"[2] 210.185.50.150#85: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0xa2911282) not found (maybe expired)
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 38730714
Ah, da is' ja der Apollo wieder ...

Looks like something in Phase 2 goes wrong. The SA Delete notif might come some time after the tunnel started negotiation - then the lifetimes are not the same on each side. If it comes shortly after initiation of the connection, one or more of the encryption/hash/DH settings, or Proxy IDs, are different.
If you do not have more in your logs, you should watch if the tunnel is up for more than one or two minutes after you re-initiate it. And you should have the log of the other site, of course.
By all means you should try to increase the log level, to get anything useful for troubleshooting. Usually you have to watch both sites to get a picture.
0
 

Author Comment

by:apollo-13
ID: 38730717
Hi Qlemo
thanks for answer.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Learn More
 

Author Comment

by:apollo-13
ID: 38730749
unfortunalitly i cant connect to see logs on the other side. Actually this connection lost problem happend after up2date firmware updated.
Here is the LIVE LOGS :
Live-Protokoll: IPSec-VPN
2012:12:30-13:16:04 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:16:04 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:56:02 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-13:56:02 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:11:05 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:11:06 astaro-2 pluto[851]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:32:56 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:32:56 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:04 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:04 astaro-1 pluto[9488]: | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16
2012:12:30-14:33:55 astaro-2 pluto[851]: "S_Site_to_Site_Branch-1": deleting connection
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:55 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:55 astaro-2 pluto[851]: forgetting secrets
2012:12:30-14:33:55 astaro-2 pluto[851]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:33:55 astaro-2 pluto[851]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:33:55 astaro-2 pluto[851]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down
2012:12:30-14:33:56 astaro-1 pluto[9488]: forgetting secrets
2012:12:30-14:33:56 astaro-1 pluto[9488]: "S_Site_to_Site_Branch-1": deleting connection
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: "S_Site_to_Site_Branch-1_Test": deleting connection
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:56 astaro-1 pluto[9488]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:56 astaro-1 pluto[9488]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down
2012:12:30-14:33:58 astaro-2 pluto[851]: forgetting secrets
2012:12:30-14:33:58 astaro-2 pluto[851]: "S_Site_to_Site_Branch-1_Test": deleting connection
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() alg_info->ref_cnt=0
2012:12:30-14:33:58 astaro-2 pluto[851]: | alg_info_delref() freeing alg_info
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:33:58 astaro-2 pluto[851]: shutting down interface ipsec0/eth1 61.150.145.70
2012:12:30-14:34:14 astaro-1 ipsec_starter[16733]: Starting strongSwan 4.2.3 IPsec [starter]...
2012:12:30-14:34:14 astaro-1 ipsec_starter[16744]: IP address or index of physical interface changed -> reinit of ipsec interface
2012:12:30-14:34:15 astaro-2 ipsec_starter[7456]: Starting strongSwan 4.2.3 IPsec [starter]...
2012:12:30-14:34:15 astaro-2 ipsec_starter[7467]: IP address or index of physical interface changed -> reinit of ipsec interface
2012:12:30-14:34:16 astaro-1 ipsec_starter[16744]: pluto too long to start... - kill kill
2012:12:30-14:34:16 astaro-1 ipsec_starter[16744]: pluto has died -- restart scheduled (5sec)
2012:12:30-14:34:16 astaro-2 pluto[7484]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2012:12:30-14:34:16 astaro-2 pluto[7484]: including NAT-Traversal patch (Version 0.6c)
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: Testing registered IKE encryption algorithms:
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_DES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_BLOWFISH_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_3DES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_AES_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SERPENT_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_TWOFISH_CBC self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_TWOFISH_CBC_SSH self-test not available
2012:12:30-14:34:16 astaro-2 pluto[7484]: Testing registered IKE hash algorithms:
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 6: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_MD5 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_MD5 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_256 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_256 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_384 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_384 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hash testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_512 hash self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 0: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 1: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 2: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 3: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 4: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: | hmac testvector 5: ok
2012:12:30-14:34:16 astaro-2 pluto[7484]: OAKLEY_SHA2_512 hmac self-test passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: All crypto self-tests passed
2012:12:30-14:34:16 astaro-2 pluto[7484]: Using KLIPS IPsec interface code
2012:12:30-14:34:16 astaro-2 pluto[7484]: HA system enabled and listen on interface eth3
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:34:16 astaro-2 pluto[7484]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:34:16 astaro-2 pluto[7484]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:34:16 astaro-2 pluto[7484]: HA System active! Switch to Master mode to listen for IKE messages
2012:12:30-14:34:16 astaro-2 pluto[7484]: adding interface ipsec0/eth1 61.150.145.70:500
2012:12:30-14:34:16 astaro-2 pluto[7484]: adding interface ipsec0/eth1 61.150.145.70:4500
2012:12:30-14:34:16 astaro-2 pluto[7484]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | esp string values: 12_256-1,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | ike string values: 7_256-1-5,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: added connection description "S_Site_to_Site_Branch-1_Test"
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | esp string values: 12_256-1,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:16 astaro-2 pluto[7484]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:16 astaro-2 pluto[7484]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | ike string values: 7_256-1-5,
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:16 astaro-2 pluto[7484]: added connection description "S_Site_to_Site_Branch-1"
2012:12:30-14:34:16 astaro-2 pluto[7484]: Pluto is now Slave
2012:12:30-14:34:21 astaro-1 pluto[16850]: Starting Pluto (strongSwan Version 4.2.3 THREADS LIBLDAP VENDORID CISCO_QUIRKS)
2012:12:30-14:34:21 astaro-1 pluto[16850]: including NAT-Traversal patch (Version 0.6c)
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_AES_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_BLOWFISH_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SERPENT_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_256 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_384 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_SHA2_512 hash: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_TWOFISH_CBC encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: ike_alg: Activating OAKLEY_TWOFISH_CBC_SSH encryption: Ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: Testing registered IKE encryption algorithms:
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_DES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_BLOWFISH_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_3DES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_AES_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SERPENT_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_TWOFISH_CBC self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_TWOFISH_CBC_SSH self-test not available
2012:12:30-14:34:21 astaro-1 pluto[16850]: Testing registered IKE hash algorithms:
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 6: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_MD5 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_MD5 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_256 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_256 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_384 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_384 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hash testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_512 hash self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 0: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 1: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 2: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 3: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 4: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: | hmac testvector 5: ok
2012:12:30-14:34:21 astaro-1 pluto[16850]: OAKLEY_SHA2_512 hmac self-test passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: All crypto self-tests passed
2012:12:30-14:34:21 astaro-1 pluto[16850]: Using KLIPS IPsec interface code
2012:12:30-14:34:21 astaro-1 pluto[16850]: HA system enabled and listen on interface eth3
2012:12:30-14:34:21 astaro-1 pluto[16850]: Initial HA switch to Master mode
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/cacerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: loaded CA cert file 'VPN Signing CA.pem' (2938 bytes)
2012:12:30-14:34:21 astaro-1 pluto[16850]: loaded CA cert file 'VPN Signing CA (Thu Feb 5 14:14:06 2009).pem' (3079 bytes)
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/aacerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/ocspcerts'
2012:12:30-14:34:21 astaro-1 pluto[16850]: Changing to directory '/etc/ipsec.d/crls'
2012:12:30-14:34:21 astaro-1 pluto[16850]: listening for IKE messages
2012:12:30-14:34:21 astaro-1 pluto[16850]: adding interface ipsec0/eth1 61.150.145.70:500
2012:12:30-14:34:21 astaro-1 pluto[16850]: adding interface ipsec0/eth1 61.150.145.70:4500
2012:12:30-14:34:21 astaro-1 pluto[16850]: loading secrets from "/etc/ipsec.secrets"
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | esp string values: 12_256-1,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | ike string values: 7_256-1-5,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: added connection description "S_Site_to_Site_Branch-1_Test"
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4564, "ESP_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=12
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c46f8, "AUTH_ALGORITHM_HMAC_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_esp_add() ealg=12 aalg=1 cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | esp string values: 12_256-1,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_parse_str() ealg_buf=aes aalg_buf=md5eklen=256 aklen=0
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c4798, "OAKLEY_AES")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_ppfixi () calling enum_search(0x80c4798, "OAKLEY_AES_CBC")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() ealg_getbyname("aes")=7
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47a8, "OAKLEY_MD5")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() aalg_getbyname("md5")=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | enum_search_prefix () calling enum_search(0x80c47d8, "OAKLEY_GROUP_MODP1536")
2012:12:30-14:34:21 astaro-1 pluto[16850]: | parser_alg_info_add() modp_getbyname("modp1536")=5
2012:12:30-14:34:21 astaro-1 pluto[16850]: | __alg_info_ike_add() ealg=7 aalg=1 modp_id=5, cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | ike string values: 7_256-1-5,
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: | alg_info_addref() alg_info->ref_cnt=1
2012:12:30-14:34:21 astaro-1 pluto[16850]: added connection description "S_Site_to_Site_Branch-1"
2012:12:30-14:34:21 astaro-1 pluto[16850]: HA System: Pluto is already in Master mode
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 38730765
That log is just talking about the boot process. No hint to info in regard of establishing a connection.

It is always a good idea to have a fallback remote access method, like TeamViewer or direct RDP, in case the VPN does not come up.

Anyway, if you try to initiate traffic from HQ to Branch-1, e.g. by pinging a remote IP, you should see something more in the logs. I'm certain strongSwan supports log levels to provide more detail, but I have no knowledge about that Open Source IPSec VPN software, and any Astaro-specific implementation of it.
0
 

Author Comment

by:apollo-13
ID: 38730839
no ping and Teamwiever works unfortunatily ,today i tried all options. :)
0
 

Author Comment

by:apollo-13
ID: 38730848
Is the both sides must be  the same firmware? Because my is not.After updated firmware on the HQ side then lost connections.
0
 

Author Comment

by:apollo-13
ID: 38730992
i got this info:
ERROR: asynchronous network error report on eth1 for message to 212.40.85.14 port 500, complainant 212.40.85.14: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
0
 
LVL 70

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38731424
Usually a Firmware upgrade should not lead to communication issues - but that depends on whether there have been wiped out some inconsistencies leading to vulnerability, or something similar. Making both Astaro having the same Firmware would be my first approach in this case.

The other stuff doesn't tell anything more.
0
 

Author Comment

by:apollo-13
ID: 38731886
ok thanks ,i will try
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 38732328
Thanks for accepting, but strictly seen, it is too early to do that, as the issue is not resolved yet. I'll continue to monitor this thread, and am able to reopen it if needed. Please post back whether the Firmware upgrade worked out for you.
0

Featured Post

Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

VIEW NOW
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Cisco IOS: Case Study regarding the difference between static route using next-hop IP and using outgoing interface
Article by: ffleisma
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
How To Establish a Dial Out IPSec VPN from a Draytek Vigor Router to a Cyberoam UTM
Article by: John
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Setup Mikrotik routers with OSPF… Part 2
Video by: Dirk
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
How to dial VPNs quickly in Windows 10
Video by: Rich
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Advertise Here

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Advertise Here