Dashboard 0.8.3_1 IPsec strangeness
-
Does it show up this way even after you restart racoon?
The mobile tunnel detection is still pretty new, but this is the only report I have heard lately that it was displaying incorrectly.
-
I kicked it over, now I'm showing 3/1. That's the two static, the mobile, and the disabled one. So mobile is showing active but down. I guess that's right. (It's configured but not connected) I'll see what happens when the mobile client connects again.
-
The mobile tunnel will show inactive until someone connects, and then you'll have one "active" entry per connected client.
-
On my system, overview shows three active tunnels when the mobile client is not configured. Tunnel status shows the mobile client down. I deleted the disabled tunnel that was showing as inactive to simplify things.
-
Got the mobile client connected, now I show five active. That's three for the mobile- one was there and when the client connected via NAT-T it showed one for source IP and one for the destination IP with the NAT-T port. All the mobiles still show down under status.
-
There may be some weirdness with parsing your setup… not sure why.
I'd really need to see a sanitized version of the following:
Diagnostics > Command, PHP Execute
print_r($GLOBALS['config']['ipsec']);Diagnostics > Command, Execute Shell Command:
setkey -Dand
setkey -D -P -
Ok, here's what I get. Thanks for taking the time to wade through it. I should mention the setup is a CARP cluster, so the tunnels are terminated on the WAN CARP IP.
Array
(
[preferredoldsa] =>
[enable] =>
[mobilekey] => Array
(
[0] => Array
(
[ident] => remote.ip.G
[pre-shared-key] => pskey-g
)[1] => Array
(
[ident] => remote.ip.D
[pre-shared-key] => pskey-d
)[2] => Array
(
[ident] => vpnuser@myvpn.com
[pre-shared-key] => mobileuser-psk
))
[tunnel] => Array
(
[0] => Array
(
[interface] => carp1
[local-subnet] => Array
(
[network] => lan
)[remote-subnet] => lan.net.d/16
[remote-gateway] => remote.ip.D
[p1] => Array
(
[mode] => aggressive
[myident] => Array
(
[address] => my.wan.carp.ip
)[encryption-algorithm] => rijndael
[hash-algorithm] => sha1
[dhgroup] => 2
[lifetime] => 28800
[pre-shared-key] => pskey-d
[private-key] =>
[cert] =>
[peercert] =>
[authentication_method] => pre_shared_key
)[p2] => Array
(
[protocol] => esp
[encryption-algorithm-option] => Array
(
[0] => rijndael
)[hash-algorithm-option] => Array
(
[0] => hmac_sha1
)[pfsgroup] => 2
[lifetime] => 28800
)[descr] => Tunnel to D
[pinghost] => lan.net.d.1
)[1] => Array
(
[interface] => carp1
[local-subnet] => Array
(
[network] => lan
)[remote-subnet] => lan.net.g/24
[remote-gateway] => remote.ip.G
[p1] => Array
(
[mode] => aggressive
[myident] => Array
(
[address] => my.wan.carp.ip
)[encryption-algorithm] => rijndael
[hash-algorithm] => sha1
[dhgroup] => 2
[lifetime] => 28800
[pre-shared-key] => pskey-g
[private-key] =>
[cert] =>
[peercert] =>
[authentication_method] => pre_shared_key
)[p2] => Array
(
[protocol] => esp
[encryption-algorithm-option] => Array
(
[0] => rijndael
)[hash-algorithm-option] => Array
(
[0] => hmac_sha1
[1] => hmac_md5
)[pfsgroup] => 2
[lifetime] => 28800
)[descr] => Tunnel to G
[pinghost] =>
))
[preferoldsa] =>
[mobileclients] => Array
(
[enable] =>
[p1] => Array
(
[mode] => aggressive
[myident] => Array
(
[address] => my.wan.carp.ip
)[encryption-algorithm] => rijndael
[hash-algorithm] => sha1
[dhgroup] => 2
[lifetime] => 86400
[private-key] =>
[cert] =>
[authentication_method] => pre_shared_key
)[natt] =>
[p2] => Array
(
[protocol] => esp
[encryption-algorithm-option] => Array
(
[0] => 3des
[1] => rijndael
)[hash-algorithm-option] => Array
(
[0] => hmac_sha1
[1] => hmac_md5
)[pfsgroup] => 0
[lifetime] => 28800
)[dpddelay] => 120
))
setkey -D
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension typesetkey -D -P
my.lan.net/24[any] my.lan.fw.ip[any] any
in none
spid=11 seq=7 pid=58166
refcnt=1
lan.net.d/16[any] my.lan.net/24[any] any
in ipsec
esp/tunnel/remote.ip.D-my.wan.carp.ip/unique#16390
spid=14 seq=6 pid=58166
refcnt=1
lan.net.g/24[any] my.lan.net/24[any] any
in ipsec
esp/tunnel/remote.ip.G-my.wan.carp.ip/unique#16392
spid=16 seq=5 pid=58166
refcnt=1
mobile.client.private.ip[any] my.lan.net/24[any] any
in ipsec
esp/tunnel/mobileclient.public.ip-my.wan.carp.ip/require
created: Jun 26 15:32:54 2009 lastused: Jun 26 15:37:36 2009
lifetime: 28800(s) validtime: 0(s)
spid=17 seq=4 pid=58166
refcnt=1
my.lan.fw.ip[any] my.lan.net/24[any] any
out none
spid=12 seq=3 pid=58166
refcnt=1
my.lan.net/24[any] lan.net.d/16[any] any
out ipsec
esp/tunnel/my.wan.carp.ip-remote.ip.D/unique#16389
spid=13 seq=2 pid=58166
refcnt=1
my.lan.net/24[any] lan.net.g/24[any] any
out ipsec
esp/tunnel/my.wan.carp.ip-remote.ip.G/unique#16391
spid=15 seq=1 pid=58166
refcnt=1
my.lan.net/24[any] mobile.client.private.ip[any] any
out ipsec
esp/tunnel/my.wan.carp.ip-mobileclient.public.ip/require
created: Jun 26 15:32:54 2009 lastused: Jun 26 17:25:38 2009
lifetime: 28800(s) validtime: 0(s)
spid=18 seq=0 pid=58166
refcnt=1 -
setkey -D
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension type
Invalid extension typeThat worries me. That should be printing a list of all your active SAs.
Do these tunnels show up as 'up' under Status > IPsec?
Seems there may be some other ipsec-tools-related problem on your system.
What version is this running? (Or date/timestamp if it's a snapshot)
-
Just had another thought, if this box was upgraded from 1.2-RELEASE to a more modern version it may have two versions of setkey.
Try /usr/local/sbin/setkey -D
-
Ah, that would be it. It was upgraded from 1.2. Good catch:
/usr/local/sbin/setkey -D
my.wan.carp.ip[4500] mobileclient.public.ip[30883]
esp-udp mode=any spi=304123313(0x12208db1) reqid=0(0x00000000)
E: aes-cbc a68ee719 c719199a 30aef38d 7524469a
A: hmac-sha1 1bf31131 c2c3e9dc 25888fca 026d9802 ad0856f3
seq=0x0001b1c1 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:33:05 2009 current: Jun 29 09:27:55 2009
diff: 6890(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 13942840(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 111041 hard: 0 soft: 0
sadb_seq=6 pid=9564 refcnt=2
mobileclient.public.ip[30883] my.wan.carp.ip[4500]
esp-udp mode=tunnel spi=163139250(0x09b94eb2) reqid=0(0x00000000)
E: aes-cbc 05d6cf01 9fbe5b6a 358cf833 e9da3aad
A: hmac-sha1 feea0912 bd67cfea 6b734dee be610ec2 e973a04c
seq=0x00028d22 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:33:05 2009 current: Jun 29 09:27:55 2009
diff: 6890(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 226902514(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 167202 hard: 0 soft: 0
sadb_seq=5 pid=9564 refcnt=1
my.wan.carp.ip remote.ip.D
esp mode=any spi=120936904(0x073559c8) reqid=16389(0x00004005)
E: aes-cbc 6b76fbdb 4a1c6c28 9f396457 655cb910
A: hmac-sha1 81eeab0d 0694980a 07a48cc9 de001298 9f956ad4
seq=0x000013fe replay=4 flags=0x00000000 state=mature
created: Jun 29 07:57:26 2009 current: Jun 29 09:27:55 2009
diff: 5429(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:50 2009 hard: 0(s) soft: 0(s)
current: 1169424(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 5118 hard: 0 soft: 0
sadb_seq=4 pid=9564 refcnt=2
remote.ip.D my.wan.carp.ip
esp mode=tunnel spi=227089053(0x0d891a9d) reqid=16390(0x00004006)
E: aes-cbc d16c5888 752d83be fb5cda1c 09137340
A: hmac-sha1 4a4edba1 99efb15b e9192b16 40f727f6 7b8142f7
seq=0x00000dc6 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:57:26 2009 current: Jun 29 09:27:55 2009
diff: 5429(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:50 2009 hard: 0(s) soft: 0(s)
current: 597881(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 3526 hard: 0 soft: 0
sadb_seq=3 pid=9564 refcnt=1
remote.ip.D my.wan.carp.ip
esp mode=tunnel spi=47308714(0x02d1dfaa) reqid=16390(0x00004006)
E: aes-cbc 4d7635cb e77e5ad2 f5a864f0 aaa441e4
A: hmac-sha1 007d7961 1fb4072c 4bece018 850108ab 006c3936
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jun 29 07:57:25 2009 current: Jun 29 09:27:55 2009
diff: 5430(s) hard: 28800(s) soft: 23040(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=2 pid=9564 refcnt=1
my.wan.carp.ip remote.ip.G
esp mode=any spi=145602196(0x08adb694) reqid=16391(0x00004007)
E: aes-cbc e40282bc 734c5f93 a12b51bb d8b66a96
A: hmac-sha1 6cc652f7 f8679ebb 2b9c6522 57b963d5 60b03b87
seq=0x0007a755 replay=4 flags=0x00000000 state=mature
created: Jun 29 04:43:41 2009 current: Jun 29 09:27:55 2009
diff: 17054(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 61248056(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 501589 hard: 0 soft: 0
sadb_seq=1 pid=9564 refcnt=2
remote.ip.G my.wan.carp.ip
esp mode=tunnel spi=257452519(0x0f5869e7) reqid=16392(0x00004008)
E: aes-cbc e61e358e 8999e9c1 61a588ce 26b07a72
A: hmac-sha1 fc2948b5 8c93bc95 9f879e40 6aad17b7 3de2d5a2
seq=0x000c49f2 replay=4 flags=0x00000000 state=mature
created: Jun 29 04:43:41 2009 current: Jun 29 09:27:55 2009
diff: 17054(s) hard: 28800(s) soft: 23040(s)
last: Jun 29 09:27:55 2009 hard: 0(s) soft: 0(s)
current: 1084481374(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 805362 hard: 0 soft: 0
sadb_seq=0 pid=9564 refcnt=1
