[strongSwan] Can not establish ipsec tunnel between racoon and strongswan(pluto)

Xia Weizhong xwz7611 at gmail.com
Fri Mar 26 03:03:40 CET 2010


Hi

I am trying to setting up an l2tp/ipsec tunnel between Android (which uses
racoon 1) and my server (strong 4.3.5 + xl2tpd). Yet I met below errors:

Mar 26 09:37:09 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1:
NAT-Traversal: Result using RFC 3947: peer is NATed
Mar 26 09:37:09 xia-laptop pluto[6695]: | inserting event
EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
Mar 26 09:37:09 xia-laptop pluto[6695]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #1
Mar 26 09:37:09 xia-laptop pluto[6695]: | next event EVENT_RETRANSMIT in 10
seconds for #1
Mar 26 09:37:19 xia-laptop pluto[6695]: |
Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 228 bytes from
192.168.1.170:500 on eth1
Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
Mar 26 09:37:19 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
STATE_MAIN_R2
Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1: discarding
duplicate packet; already STATE_MAIN_R2
Mar 26 09:37:19 xia-laptop pluto[6695]: | next event EVENT_RETRANSMIT in 0
seconds for #1
Mar 26 09:37:19 xia-laptop pluto[6695]: |
Mar 26 09:37:19 xia-laptop pluto[6695]: | *time to handle event
Mar 26 09:37:19 xia-laptop pluto[6695]: | event after this is
EVENT_NAT_T_KEEPALIVE in 10 seconds
Mar 26 09:37:19 xia-laptop pluto[6695]: | handling event EVENT_RETRANSMIT
for 192.168.1.170 "rw" #1
Mar 26 09:37:19 xia-laptop pluto[6695]: | inserting event EVENT_RETRANSMIT,
timeout in 20 seconds for #1
Mar 26 09:37:19 xia-laptop pluto[6695]: | next event EVENT_NAT_T_KEEPALIVE
in 10 seconds
Mar 26 09:37:19 xia-laptop pluto[6695]: |
Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 76 bytes from
192.168.1.170:4500 on eth1
Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
Mar 26 09:37:19 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
STATE_MAIN_R2
Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[1] 192.168.1.170 #1: Peer ID is
ID_IPV4_ADDR: '192.168.0.4'
Mar 26 09:37:19 xia-laptop pluto[6695]: | peer CA:      %none
Mar 26 09:37:19 xia-laptop pluto[6695]: | offered CA:   %none
Mar 26 09:37:19 xia-laptop pluto[6695]: | switched from "rw" to "rw"
Mar 26 09:37:19 xia-laptop pluto[6695]: | instantiated "rw" for
192.168.1.170
Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170 #1: deleting
connection "rw" instance with peer 192.168.1.170 {isakmp=#0/ipsec=#0}
Mar 26 09:37:19 xia-laptop pluto[6695]: | NAT-T: new mapping
192.168.1.170:500/4500)
Mar 26 09:37:19 xia-laptop pluto[6695]: | inserting event EVENT_SA_REPLACE,
timeout in 10530 seconds for #1
Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500 #1: sent
MR3, ISAKMP SA established
Mar 26 09:37:19 xia-laptop pluto[6695]: | next event EVENT_NAT_T_KEEPALIVE
in 10 seconds
Mar 26 09:37:19 xia-laptop pluto[6695]: |
Mar 26 09:37:19 xia-laptop pluto[6695]: | *received 92 bytes from
192.168.1.170:4500 on eth1
Mar 26 09:37:19 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
Mar 26 09:37:19 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
Mar 26 09:37:19 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
Mar 26 09:37:19 xia-laptop pluto[6695]: | state hash entry 30
Mar 26 09:37:19 xia-laptop pluto[6695]: | state object #1 found, in
STATE_MAIN_R3
Mar 26 09:37:19 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500 #1:
ignoring informational payload, type IPSEC_INITIAL_CONTACT
Mar 26 09:37:19 xia-laptop pluto[6695]: | next event EVENT_NAT_T_KEEPALIVE
in 10 seconds
Mar 26 09:37:20 xia-laptop pluto[6695]: |
Mar 26 09:37:20 xia-laptop pluto[6695]: | *received 284 bytes from
192.168.1.170:4500 on eth1
Mar 26 09:37:20 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
Mar 26 09:37:20 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
Mar 26 09:37:20 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
Mar 26 09:37:20 xia-laptop pluto[6695]: | state hash entry 30
Mar 26 09:37:20 xia-laptop pluto[6695]: | state object not found
Mar 26 09:37:20 xia-laptop pluto[6695]: | ICOOKIE:  04 8d e9 35  55 9d 65 a0
Mar 26 09:37:20 xia-laptop pluto[6695]: | RCOOKIE:  10 01 8b fc  fc 8e fc d7
Mar 26 09:37:20 xia-laptop pluto[6695]: | peer:  c0 a8 01 aa
Mar 26 09:37:20 xia-laptop pluto[6695]: | state hash entry 30
Mar 26 09:37:20 xia-laptop pluto[6695]: | state object #1 found, in
STATE_MAIN_R3
Mar 26 09:37:20 xia-laptop pluto[6695]: | peer client is 192.168.0.4
Mar 26 09:37:20 xia-laptop pluto[6695]: | peer client protocol/port is 17/0
Mar 26 09:37:20 xia-laptop pluto[6695]: | our client is 192.168.1.159
Mar 26 09:37:20 xia-laptop pluto[6695]: | our client protocol/port is
17/1701
Mar 26 09:37:20 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500 #1:
cannot respond to IPsec SA request because no connection is known for
192.168.1.159:4500[192.168.1.159]:17/1701...192.168.1.170:4500
[192.168.0.4]:17/0===192.168.0.4/32
Mar 26 09:37:20 xia-laptop pluto[6695]: "rw"[2] 192.168.1.170:4500 #1:
sending encrypted notification INVALID_ID_INFORMATION to 192.168.1.170:4500
Mar 26 09:37:20 xia-laptop pluto[6695]: | state transition function for
STATE_QUICK_R0 failed: INVALID_ID_INFORMATION


Can some body help me which configuration I made wrong? Below is my
ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        crlcheckinterval=180
        nat_traversal=yes
        strictcrlpolicy=no
        plutodebug=control
        charonstart=no

conn  %default%
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1

conn rw
    left=192.168.1.159
    leftsubnet=10.1.0.0/16
    leftfirewall=yes
    right=%any
    authby=secret
    auto=add

thanks, Xia Weizhong
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100326/756393c5/attachment.html>


More information about the Users mailing list