IPSEC is stuck on established and won't go to installed

Hi,

We have a RUT956 running RUT9M_R_00.07.06.10 and copied the IPSEC configuration from a RUT955 running 06.09.5. However, the ipsec is stuck on established and won’t go to established and installed. In the logs we keep seeing retransmits.

192.22.220.129 is the RUT956 LAN interface, 192.22.3.142 is the RUT956 WAN interface and 192.22.255.30 is the remote endpoint.

Mon May 27 16:25:40 2024 daemon.info ipsec: 09[KNL] creating delete job for CHILD_SA ESP/0xc63e9fb8/192.22.3.142
Mon May 27 16:25:40 2024 daemon.info ipsec: 09[JOB] CHILD_SA ESP/0xc63e9fb8/192.22.3.142 not found for delete
Mon May 27 16:25:41 2024 daemon.info ipsec: 06[IKE] <DEMO_c|8> giving up after 3 retransmits
Mon May 27 16:25:41 2024 daemon.info ipsec: 06[IKE] <DEMO_c|8> initiating Aggressive Mode IKE_SA DEMO_c[9] to 192.22.255.30
Mon May 27 16:25:41 2024 daemon.info ipsec: 06[ENC] <DEMO_c|8> generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
Mon May 27 16:25:41 2024 daemon.info ipsec: 06[NET] <DEMO_c|8> sending packet: from 192.22.3.142[500] to 192.22.255.30[500] (391 bytes)
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[NET] <DEMO_c|9> received packet: from 192.22.255.30[500] to 192.22.3.142[500] (376 bytes)
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[ENC] <DEMO_c|9> parsed AGGRESSIVE response 0 [ SA KE No ID HASH V NAT-D NAT-D V V V V ]
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> received NAT-T (RFC 3947) vendor ID
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> received DPD vendor ID
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[ENC] <DEMO_c|9> received unknown vendor ID: 82:99:03:17:57:a3:60:82:c6:a6:21:de:00:00:00:00
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> received FRAGMENTATION vendor ID
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> received FRAGMENTATION vendor ID
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[CFG] <DEMO_c|9> selected proposal: IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> IKE_SA DEMO_c[9] established between 192.22.3.142[mobile00]…192.22.255.30[192.22.255.30]
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> scheduling reauthentication in 28067s
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[IKE] <DEMO_c|9> maximum IKE_SA lifetime 28607s
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[ENC] <DEMO_c|9> generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[NET] <DEMO_c|9> sending packet: from 192.22.3.142[500] to 192.22.255.30[500] (92 bytes)
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[ENC] <DEMO_c|9> generating QUICK_MODE request 1936924879 [ HASH SA No ID ID ]
Mon May 27 16:25:41 2024 daemon.info ipsec: 13[NET] <DEMO_c|9> sending packet: from 192.22.3.142[500] to 192.22.255.30[500] (220 bytes)
Mon May 27 16:25:45 2024 daemon.info ipsec: 16[IKE] <DEMO_c|9> sending retransmit 1 of request message ID 1936924879, seq 3
Mon May 27 16:25:45 2024 daemon.info ipsec: 16[NET] <DEMO_c|9> sending packet: from 192.22.3.142[500] to 192.22.255.30[500] (220 bytes)
Mon May 27 16:25:52 2024 daemon.info ipsec: 05[IKE] <DEMO_c|9> sending retransmit 2 of request message ID 1936924879, seq 3
Mon May 27 16:25:52 2024 daemon.info ipsec: 05[NET] <DEMO_c|9> sending packet: from 192.22.3.142[500] to 192.22.255.30[500] (220 bytes)

root@device:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.4.259, mips):
uptime: 15 minutes, since May 27 16:19:30 2024
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 32
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp pem openssl pkcs8 xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
192.22.220.129 (LAN)
fdf7:fbd0:a929::1
192.22.3.142 (MAIN WAN)
192.168.20.40 (4G BACKUP)
Connections:
passth_DEMO_c_lan: %any…%any IKEv1/2
passth_DEMO_c_lan: local: uses public key authentication
passth_DEMO_c_lan: remote: uses public key authentication
passth_DEMO_c_lan: child: 192.22.220.128/29 === 192.22.220.128/29 PASS
DEMO_c: %any…192.22.255.30 IKEv1 Aggressive, dpddelay=30s
DEMO_c: local: [mobile00] uses pre-shared key authentication
DEMO_c: remote: [192.22.255.30] uses pre-shared key authentication
DEMO_c: child: 192.22.220.128/29 === 192.16.0.0/16 TUNNEL, dpdaction=start
Shunted Connections:
passth_DEMO_c_lan: 192.22.220.128/29 === 192.22.220.128/29 PASS
Security Associations (1 up, 0 connecting):
DEMO_c[18]: ESTABLISHED 22 seconds ago, 192.22.3.142[mobile00]…192.22.255.30[192.22.255.30]
DEMO_c[18]: IKEv1 SPIs: 8a91b85d4c3cf88c_i* fb5e58d170171b59_r, pre-shared key reauthentication in 7 hours
DEMO_c[18]: IKE proposal: DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
DEMO_c[18]: Tasks active: QUICK_MODE

I have checked our firewall settings on the RUT956 and currently set everything to ACCEPT. What else can we check to determine what is going wrong? On the Fortigate the IPSEC is setup exactly the same as the other VPN.

accept1343×319 22.8 KB

Kind regards,
Tom

Hello,

Could you please upgrade your device to the latest RUT9M_R_00.07.07.1 firmware version? You can download it from this link: RUT956 Firmware Downloads. After upgrading, please check if the issue persists. Thank you!

Best Regards,

Hi Marija,

We prefer not to use the latest FW, as we’ve had issues in the past with the latest FW. We try to stick to the mass production FW as much as possible.

I will update to 7.7.1 and get back to you.

Tom

I understand you. I just wanted to let you know that new firmware versions often include improvements and issue fixes.
I’ll wait for an update from you.

Best Regards,

Hi Marija,

Unfortunately, no success. Phase1 is ok, but phase2 fails.
This is the output from the Fortigate. It seems as if there is an issue with the phase2?

2024-05-28 10:43:12.641683 ike 0:VPN_CAM00_INT_0:107215:709486: responder received first quick-mode message
2024-05-28 10:43:12.641696 ike 0:VPN_CAM00_INT_0:107215: dec B09DC982A18B102DFF0C1A3A227985700810200134DDE411000000EC0100001872ACCB641B504804C1C60CED7F015C431C987F690A00006800000001000000010000005C01030403CA73F7930300001C010C000080060080800500028004000180010001800238400300001C020C00008006008080050005800400018001000180023840000000180314000080060080800400018001000180023840050000242EC363A31E6B47D2FC2128DB8133FF12A76F1567A5C708505F967D02569260C00500001004000000AC16DC80FFFFFFF80000001004000000AC100000FFFF0000000000000000000000000000
2024-05-28 10:43:12.641717 ike 0:VPN_CAM00_INT_0:107215:709486: peer proposal is: peer:0:192.22.220.128-192.22.220.135:0, me:0:192.16.0.0-192.16.255.255:0
2024-05-28 10:43:12.641721 ike 0:VPN_CAM00_INT_0:107215:VPN_CAM00_INT:709486: trying
2024-05-28 10:43:12.641724 ike 0:VPN_CAM00_INT_0:107215:709486: no matching phase2 found
2024-05-28 10:43:12.641728 ike 0:VPN_CAM00_INT_0:107215:709486: failed to get responder proposal
2024-05-28 10:43:12.641749 ike 0:VPN_CAM00_INT_0:107215: error processing quick-mode message from 192.22.3.142 as responder
2024-05-28 10:43:18.549628 ike shrank heap by 159744 bytes
2024-05-28 10:43:19.835375 ike 0: comes 192.22.3.142:500->192.22.255.30:500,ifindex=31…
2024-05-28 10:43:19.835397 ike 0: IKEv1 exchange=Quick id=b09dc982a18b102d/ff0c1a3a22798570:34dde411 len=236

root@device:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.6, Linux 5.15.149, mips):
uptime: 29 minutes, since May 28 10:49:50 2024
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 78
loaded plugins: charon aes des sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp pem openssl pkcs8 xcbc hmac kernel-netlink socket-default stroke vici updown eap-identity eap-mschapv2 xauth-generic
Listening IP addresses:
192.22.220.129
fdf7:fbd0:a929::1
192.22.3.142
Connections:
passth_DEMO_c_lan: %any…%any IKEv1/2
passth_DEMO_c_lan: local: uses public key authentication
passth_DEMO_c_lan: remote: uses public key authentication
passth_DEMO_c_lan: child: 192.22.220.128/29 === 192.22.220.128/29 PASS
DEMO-DEMO_c: %any…192.22.255.30 IKEv1 Aggressive, dpddelay=30s
DEMO-DEMO_c: local: [mobile00] uses pre-shared key authentication
DEMO-DEMO_c: remote: [192.22.255.30] uses pre-shared key authentication
DEMO-DEMO_c: child: 192.22.220.128/29 === 192.16.0.0/16 TUNNEL, dpdaction=start
Shunted Connections:
passth_DEMO_c_lan: 192.22.220.128/29 === 192.22.220.128/29 PASS
Security Associations (1 up, 0 connecting):
DEMO-DEMO_c[38]: ESTABLISHED 22 seconds ago, 192.22.3.142[mobile00]…192.22.255.30[192.22.255.30]
DEMO-DEMO_c[38]: IKEv1 SPIs: 6f268d25165c43e4_i* 95a7af88825b3663_r, pre-shared key reauthentication in 7 hours
DEMO-DEMO_c[38]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_768
DEMO-DEMO_c[38]: Tasks active: QUICK_MODE

Tom

This topic was automatically closed after 15 days. New replies are no longer allowed.