I am having a real hard time getting a Centos server passing traffic. I can see the phase1, support says they see phase2. Something im missing? Anyone can help out with this? In dashboard I see the 3rd party vpn 'green; however can not pass traffic. Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: Port pool depleted Dec 5 10:50:10 Non-Meraki / Client VPN negotiation msg: isakmp_cfg_config.port_pool == NULL Dec 05 10:35:54 172.250.xx.xx logger: <134>1 1512498954.876248811 Warden_Norton events Site-to-site VPN: initiate new phase 1 negotiation: 172.250.xx.xx[500]<=>138.197.xx.xx[500]
Dec 05 10:35:54 172.250.xx.xx logger: <134>1 1512498954.916584505 Warden_Norton events Site-to-site VPN: ISAKMP-SA established 172.250.xx.xx[4500]-138.197.xx.xx[4500] spi:c01173e9csd7ff643aa:c45a9c5dasdsad7e68018a
[root@dns-ca1 ~]# strongswan statusall meraki-vpn
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-693.5.2.el7.x86_64, x86_64):
uptime: 11 days, since Nov 24 03:47:52 2017
malloc: sbrk 1622016, mmap 0, used 502864, free 1119152
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
138.197.xx.xx
Connections:
meraki-vpn: 138.197.xx.xx...172.250.xx.xx IKEv1
meraki-vpn: local: [138.197.xx.xx] uses pre-shared key authentication
meraki-vpn: remote: [172.250.xx.xx] uses pre-shared key authentication
meraki-vpn: child: 10.99.10.0/24 === 192.168.88.0/24 10.255.255.0/24 192.168.89.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
meraki-vpn[1]: ESTABLISHED 47 seconds ago, 138.197.xx.xx[138.197.xx.xx]...172.250.xx.xx[172.250.xx.xx]
meraki-vpn[1]: IKEv1 SPIs: c01173ejj97hff643aa_i c45a9c5d7e68jhf018a_r*, pre-shared key reauthentication in 7 hours
meraki-vpn[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[root@dns-ca1 ~]#
[root@dns-ca1 ~]# cat /etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=28800s
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn meraki-vpn
aggressive=no
mobike=yes
left=138.197.xx.xx
leftsubnet=10.99.10.0/24
leftid=138.197.xx.xx
leftfirewall=yes
leftsourceip=10.99.10.2
right=172.250.xx.xx
rightsubnet=192.168.88.0/24,10.255.255.0/24,192.168.89.0/24
# rightsubnet=192.168.88.0/24
rightid=172.250.xx.xx
auto=add
type=tunnel
ike=3des-md5-modp1024,3des-sha1-modp1024!
esp=3des-md5,3des-sha1
[root@dns-ca1 ~]#
[root@dns-ca1 ~]# ip -s xfrm policy
src 10.99.10.0/24 dst 192.168.88.0/24 uid 0
dir out action allow index 65 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-12-05 18:50:10 use -
tmpl src 138.197.xx.xx dst 172.250.xx.xx
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.88.0/24 dst 10.99.10.0/24 uid 0
dir fwd action allow index 82 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-12-05 18:50:10 use -
tmpl src 172.250.xx.xx dst 138.197.xx.xx
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.88.0/24 dst 10.99.10.0/24 uid 0
dir in action allow index 72 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-12-05 18:50:10 use -
tmpl src 172.250.xx.xx dst 138.197.xx.xx
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
... View more