<div>Hi All,</div>
<div> </div>
<div> We would like to know if configuring an any-any protect policy with ikev1 is a valid case. ikev2 tunnels are established with the same configuration. We use strongswan 4.4.1.The configuration is as follows :-</div>
<div> </div>
<div>conn conn65535 <br> type=tunnel <br> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> rightsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a> <br> left=10.46.155.153 <br> right=10.44.34.130 <br> keyexchange=ikev1 <br>
ike=aes128-sha1-modp1024,3des-sha1-modp1024! <br> ikelifetime=83069s <br> esp=aes128-sha1,3des-sha1! <br> authby=pubkey <br> rightid=%any <br> keylife=86400s <br> dpdaction=restart <br> dpddelay=10 <br> dpdtimeout=120 <br>
rekeyfuzz=50% <br> rekeymargin=180s</div>
<div> </div>
<div> </div>
<div> </div>
<div>This gives us an error like this :- </div>
<div> </div>
<div>"conn65535" #1: ISAKMP SA established<br>"conn65535" #4: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP {using isakmp#1}<br>"conn65535" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
"conn65535" #4: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow <a href="mailto:tun.0@10.44.34.130">tun.0@10.44.34.130</a> included errno 17: File exists<br>"conn65535" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
"conn65535" #4: ERROR: netlink response for Add SA <a href="mailto:esp.d798a9b8@10.46.155.153">esp.d798a9b8@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #3: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow <a href="mailto:tun.0@10.44.34.130">tun.0@10.44.34.130</a> included errno 17: File exists<br>
"conn65535" #3: ERROR: netlink response for Del SA <a href="mailto:esp.bb700eae@10.46.155.153">esp.bb700eae@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
"conn65535" #4: ERROR: netlink response for Add SA <a href="mailto:esp.d798a9b8@10.46.155.153">esp.d798a9b8@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #3: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow <a href="mailto:tun.0@10.44.34.130">tun.0@10.44.34.130</a> included errno 17: File exists<br>
"conn65535" #3: ERROR: netlink response for Del SA <a href="mailto:esp.bb700eae@10.46.155.153">esp.bb700eae@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
"conn65535" #4: ERROR: netlink response for Add SA <a href="mailto:esp.d798a9b8@10.46.155.153">esp.d798a9b8@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME<br>
"conn65535" #4: ERROR: netlink response for Add SA <a href="mailto:esp.d798a9b8@10.46.155.153">esp.d798a9b8@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #3: max number of retransmissions (2) reached STATE_QUICK_R1<br>
"conn65535" #3: ERROR: netlink response for Del SA <a href="mailto:esp.bb700eae@10.46.155.153">esp.bb700eae@10.46.155.153</a> included errno 3: No such process<br>"conn65535" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal</div>
<div> </div>
<div> </div>
<div>Could you please let us know if this is a known issue or are we missing something in our configuration?</div>
<div> </div>
<div>Thanks and regards</div>
<div>R.K Swetha</div>
<div> </div>