<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:8pt"><div><span><br></span></div><div class="yahoo_quoted" style="display: block;"> <br><div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"><div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"><div dir="ltr"><font size="2" face="Arial"><br> </font> </div> <div class="y_msg_container"><div id="yiv4056267055"><div><div style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255); font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"><div><span>Hi Martin, </span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande',
sans-serif; background-color: transparent; font-style: normal;"><span><br clear="none"></span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span>Thanks so much for the response. </span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">The other end runs openswan ( I need to found out where to find the log file). It is not important if
I use IKEv1 or IKEv2 to establish the tunnel.(which one do u recommend and is easier to troubleshoot?)</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span style="background-color:transparent;">Today as a test I tried IKEv2 and I got a different result that you can see below:( it failed but not re-transmitting any more)</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span style="background-color:transparent;">I bet I am missing something here .</span></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent;
font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><span style="background-color:transparent;">I truly appreciate your help on it.</span><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Best Regards,</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style:
normal;">Farid</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">STRONGSWAN side:</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="background-color:transparent;">root@LMU5k:~# ipsec up 1</div><div style="background-color:transparent;">initiating IKE_SA 1[1] to 216.177.93.234</div><div style="background-color:transparent;">generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]</div><div
style="background-color:transparent;">sending packet: from
10.98.148.242[500] to 216.177.93.234[500] (692 bytes)</div><div style="background-color:transparent;">received packet: from 216.177.93.234[500] to 10.98.148.242[500] (376 bytes)</div><div style="background-color:transparent;">parsed IKE_SA_INIT response 0 [ SA KE No V ]</div><div style="background-color:transparent;">received unknown vendor ID: 4f:45:68:79:4c:64:41:43:65:63:66:61</div><div style="background-color:transparent;">authentication of 'lmu55' (myself) with pre-shared key</div><div style="background-color:transparent;">establishing CHILD_SA 1</div><div style="background-color:transparent;">generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) ]</div><div style="background-color:transparent;">sending packet: from 10.98.148.242[500] to 216.177.93.234[500] (396 bytes)</div><div style="background-color:transparent;">received packet: from 216.177.93.234[500] to
10.98.148.242[500] (156 bytes)</div><div style="background-color:transparent;">parsed IKE_AUTH response 1 [ IDr AUTH SA N(TS_UNACCEPT) ]</div><div style="background-color:transparent;">authentication of 'lmudiag' with pre-shared key successful</div><div style="background-color:transparent;">IKE_SA 1[1] established between 10.98.148.242[lmu55]...216.177.93.234[lmudiag]</div><div style="background-color:transparent;">scheduling reauthentication in 10087s</div><div style="background-color:transparent;">maximum IKE_SA lifetime 10627s</div><div style="background-color:transparent;">received TS_UNACCEPTABLE notify, no CHILD_SA built</div><div style="background-color:transparent;">failed to establish CHILD_SA, keeping IKE_SA</div><div style="background-color:transparent;">establishing connection '1' failed</div><div><br clear="none"></div><div><br clear="none"></div><div><div>root@LMU5k:~# ipsec statusall</div><div>Status of IKE charon daemon (strongSwan
5.0.4, Linux 3.3.8,
armv5tejl):</div><div> uptime: 8 minutes, since Oct 24 17:02:18 2013</div><div> malloc: sbrk 159744, mmap 0, used 129432, free 30312</div><div> worker threads: 6 of 16 idle, 9/1/0/0 working, job queue: 0/0/0/0, scheduled: 2</div><div> loaded plugins: charon test-vectors aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey pem openssl af-alg fips-prf gmp xcbc hmac attr kernel-pfkey kernel-klips kernel-netlink resolve socket-default farp stroke updown eap-md5 xauth-generic xauth-eap uci</div><div>Listening IP addresses:</div><div> 192.168.1.55</div><div> 10.98.148.242</div><div>Connections:</div><div> 1: %any...216.177.93.234 IKEv2</div><div> 1: local: [lmu55] uses pre-shared key authentication</div><div> 1: remote:
[lmudiag] uses pre-shared key authentication</div><div> 1: child: dynamic === dynamic TUNNEL</div><div>Security Associations (1 up, 0 connecting):</div><div> 1[1]: ESTABLISHED 7 minutes ago, 10.98.148.242[lmu55]...216.177.93.234[lmudiag]</div><div> 1[1]: IKEv2 SPIs: c23cf7b84e791fa3_i* 590ceb5f86c39212_r, pre-shared key reauthentication in 2 hours</div><div> 1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048</div><div><br clear="none"></div></div><div><br clear="none"></div><div><br clear="none"></div><div><br clear="none"></div><div>OPENSWAN SIDE:</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br
clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">>>> ipsec auto --status </div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="background-color:transparent;">000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}</div><div style="background-color:transparent;">attrs={0,0,0}</div><div style="background-color:transparent;">000</div><div style="background-color:transparent;">000 "lmu": 10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C];</div><div style="background-color:transparent;">unrouted; eroute owner: #0</div><div
style="background-color:transparent;">000 "lmu": myip=unset; hisip=unset;</div><div style="background-color:transparent;">000 "lmu": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;</div><div style="background-color:transparent;">rekey_fuzz: 100%; keyingtries: 0</div><div style="background-color:transparent;">000 "lmu": policy:</div><div style="background-color:transparent;">PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK+lKOD+rKOD; prio: 32,32;</div><div style="background-color:transparent;">interface: eth0;</div><div style="background-color:transparent;">000 "lmu": newest ISAKMP SA: #0; newest IPsec SA: #0;</div><div style="background-color:transparent;">000 "lmu"[1]:</div><div style="background-color:transparent;">10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...166.137.184.249[@lmu55,+S=C];</div><div style="background-color:transparent;">unrouted; eroute owner: #0</div><div
style="background-color:transparent;">000 "lmu"[1]: myip=unset; hisip=unset;</div><div style="background-color:transparent;">000 "lmu"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;</div><div style="background-color:transparent;">rekey_fuzz: 100%; keyingtries: 0</div><div style="background-color:transparent;">000 "lmu"[1]: policy:</div><div style="background-color:transparent;">PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+IKEv2Init+SAREFTRACK+lKOD+rKOD; prio: 32,32;</div><div style="background-color:transparent;">interface: eth0;</div><div style="background-color:transparent;">000 "lmu"[1]: newest ISAKMP SA: #3; newest IPsec SA: #0;</div><div style="background-color:transparent;">000 "lmu"[1]: IKE algorithm newest: _128-SHA1-MODP2048</div><div style="background-color:transparent;">000</div><div style="background-color:transparent;">000 #1: "lmu"[1] 166.137.184.249:43125 STATE_MAIN_R3 (sent MR3, ISAKMP
SA</div><div style="background-color:transparent;">established); EVENT_SA_REPLACE in 2757s; lastdpd=-1s(seq in:0 out:0);
idle;</div><div style="background-color:transparent;">import:not set</div><div style="background-color:transparent;">000 #3: "lmu"[1] 166.137.184.249:60528 STATE_PARENT_R2 (received v2I2, PARENT</div><div style="background-color:transparent;">SA established); EVENT_SA_REPLACE in 2772s; newest ISAKMP; nodpd; idle;</div><div style="background-color:transparent;">import:respond to stranger</div><div><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Here is ipsec.conf from openswan side:</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family:
HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="background-color:transparent;"># basic configuration</div><div style="background-color:transparent;">config setup</div><div style="background-color:transparent;"> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div style="background-color:transparent;"> # klipsdebug=none</div><div style="background-color:transparent;"> # plutodebug="control parsing"</div><div style="background-color:transparent;"> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div style="background-color:transparent;"> protostack=auto</div><div style="background-color:transparent;">
nat_traversal=yes</div><div style="background-color:transparent;"> #virtual_private=</div><div style="background-color:transparent;"> oe=off</div><div style="background-color:transparent;"> # Enable this if you see "failed to find any available worker"</div><div style="background-color:transparent;"> # nhelpers=0</div><div style="background-color:transparent;"><br clear="none"></div><div style="background-color:transparent;">conn lmu</div><div style="background-color:transparent;"> left=10.0.12.34</div><div style="background-color:transparent;"> leftid=@lmudiag</div><div style="background-color:transparent;"> #ikev2=insist</div><div style="background-color:transparent;"> ikev2=yes</div><div style="background-color:transparent;">
#keyexchange=ike</div><div style="background-color:transparent;"> right=%any</div><div style="background-color:transparent;"> rightid=@lmu55</div><div style="background-color:transparent;"> type=tunnel</div><div style="background-color:transparent;"> authby=secret</div><div style="background-color:transparent;"> auth=esp</div><div style="background-color:transparent;"> #pfs=yes</div><div style="background-color:transparent;"> auto=add</div><div style="background-color:transparent;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0,
0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Also below is output of openswan if I use IKEV1</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica
Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;">Here
is the output of : >>ipsec auto --status</div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div style="background-color:transparent;"><br clear="none"></div><div style="background-color:transparent;"> stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0}</div><div style="background-color:transparent;">attrs={0,0,0}</div><div style="background-color:transparent;">000</div><div style="background-color:transparent;">000 "lmu": 10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...%any[@lmu55,+S=C];</div><div style="background-color:transparent;">unrouted; eroute owner: #0</div><div style="background-color:transparent;">000 "lmu": myip=unset; hisip=unset;</div><div style="background-color:transparent;">000 "lmu": ike_life: 3600s;
ipsec_life: 28800s;
rekey_margin: 540s;</div><div style="background-color:transparent;">rekey_fuzz: 100%; keyingtries: 0</div><div style="background-color:transparent;">000 "lmu": policy: PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;</div><div style="background-color:transparent;">prio: 32,32; interface: eth0;</div><div style="background-color:transparent;">000 "lmu": newest ISAKMP SA: #0; newest IPsec SA: #0;</div><div style="background-color:transparent;">000 "lmu"[1]:</div><div style="background-color:transparent;">10.0.12.34<10.0.12.34>[@lmudiag,+S=C]...198.228.211.206[@lmu55,+S=C];</div><div style="background-color:transparent;">unrouted; eroute owner: #0</div><div style="background-color:transparent;">000 "lmu"[1]: myip=unset; hisip=unset;</div><div style="background-color:transparent;">000 "lmu"[1]: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s;</div><div style="background-color:transparent;">rekey_fuzz:
100%; keyingtries: 0</div><div style="background-color:transparent;">000 "lmu"[1]: policy:</div><div style="background-color:transparent;">PSK+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;</div><div style="background-color:transparent;">interface: eth0;</div><div style="background-color:transparent;">000 "lmu"[1]: newest ISAKMP SA: #1; newest IPsec SA: #0;</div><div style="background-color:transparent;">000 "lmu"[1]: IKE algorithm newest: AES_CBC_128-SHA1-MODP2048</div><div style="background-color:transparent;">000</div><div style="background-color:transparent;">000 #2: "lmu"[1] 198.228.211.206:51400 STATE_QUICK_R0 (expecting QI1);</div><div style="background-color:transparent;">EVENT_CRYPTO_FAILED in 255s; lastdpd=-1s(seq in:0 out:0); idle; import:not set</div><div style="background-color:transparent;">000 #1: "lmu"[1] 198.228.211.206:51400 STATE_MAIN_R3 (sent MR3, ISAKMP
SA</div><div style="background-color:transparent;">established); EVENT_SA_REPLACE in 3285s; newest ISAKMP; lastdpd=-1s(seq in:0</div><div style="background-color:transparent;">out:0); idle; import:not set</div><div style="background-color:transparent;">000</div><div><br clear="none"></div><div style="color: rgb(0, 0, 0); font-size: 11px; font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; background-color: transparent; font-style: normal;"><br clear="none"></div><div><br clear="none"></div><div class="yiv4056267055yqt0037461366" id="yiv4056267055yqt76068"><div class="yiv4056267055yahoo_quoted" style="display: block;"> <br clear="none"> <br clear="none"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 8pt;"> <div style="font-family: HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; font-size: 12pt;"> <div dir="ltr">
<font size="2" face="Arial"> On Thursday, October 24, 2013 7:57 AM, Pruss Brian-ABP035 <brian.pruss@motorolasolutions.com> wrote:<br clear="none">
</font> </div> <div class="yiv4056267055y_msg_container">The Fedora packages won't work on RHEL or CentOS, but EPEL packages will: <a rel="nofollow" shape="rect" target="_blank" href="http://pkgs.org/download/strongswan">http://pkgs.org/download/strongswan </a>.<br clear="none"><div class="yiv4056267055yqt0443748865" id="yiv4056267055yqtfd37919"><br clear="none">-----Original Message-----<br clear="none">From: Martin Willi [mailto:<a rel="nofollow" shape="rect" ymailto="mailto:martin@strongswan.org" target="_blank" href="mailto:martin@strongswan.org">martin@strongswan.org</a>] <br clear="none">Sent: Thursday, October 24, 2013 2:14 AM<br clear="none">To: Farid Farid<br clear="none">Cc: <a rel="nofollow" shape="rect" ymailto="mailto:users@lists.strongswan.org" target="_blank" href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br clear="none">Subject: Re: [strongSwan] question about how to connect from a mobile station<br
clear="none"><br clear="none">Hi,<br clear="none"><br clear="none">> IKE_SA 1[1] established between <br clear="none">>
10.227.110.112[lmu55]...216.177.93.234[lmudiag]<br clear="none">> generating QUICK_MODE request 1438687057 [ HASH SA No ] sending <br clear="none">> packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes) <br clear="none">> sending retransmit 1 of request message ID 1438687057, seq 4 sending <br clear="none">> packet: from 10.227.110.112[4500] to 216.177.93.234[4500] (204 bytes)<br clear="none"><br clear="none">The responder does not answer to the Quick Mode request. Most likely it considers it not acceptable. Have a look at the responder log what is wrong.<br clear="none"><br clear="none">> The other end run Openswan on a Centos 5.8 machine. Is there any <br clear="none">> strongswan package available for Centos?<br clear="none"><br clear="none">Not any that I'm aware of. But maybe the Fedora packages [1] work?<br clear="none"><br clear="none">Regards<br clear="none">Martin<br clear="none"><br
clear="none">[1]<a rel="nofollow" shape="rect" target="_blank" href="https://apps.fedoraproject.org/packages/strongswan">https://apps.fedoraproject.org/packages/strongswan</a><br clear="none"><br clear="none"><br clear="none"><br clear="none"></div><br clear="none"><br clear="none"></div> </div> </div> </div></div> </div></div></div><br><div class="yqt0037461366" id="yqt17699">_______________________________________________<br clear="none">Users mailing list<br clear="none"><a shape="rect" ymailto="mailto:Users@lists.strongswan.org" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br clear="none"><a shape="rect" href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a></div><br><br></div> </div> </div> </div> </div></body></html>