[strongSwan] Strongswan ikev1 any-any protect policy

Swetha RK rkswetech at gmail.com
Mon Jun 13 08:23:25 CEST 2011 

Hi All,

                     We would like to know if configuring an any-any protect
policy with ikev1 is a valid case. ikev2 tunnels are established with the
same configuration. We use strongswan 4.4.1.The configuration is as follows
:-

conn conn65535
  type=tunnel
  leftsubnet=0.0.0.0/0
  rightsubnet=0.0.0.0/0
  left=10.46.155.153
  right=10.44.34.130
  keyexchange=ikev1
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  ikelifetime=83069s
  esp=aes128-sha1,3des-sha1!
  authby=pubkey
  rightid=%any
  keylife=86400s
  dpdaction=restart
  dpddelay=10
  dpdtimeout=120
  rekeyfuzz=50%
  rekeymargin=180s



This gives us an error like this :-

"conn65535" #1: ISAKMP SA established
"conn65535" #4: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+UP {using
isakmp#1}
"conn65535" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
"conn65535" #4: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow
tun.0 at 10.44.34.130 included errno 17: File exists
"conn65535" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
"conn65535" #4: ERROR: netlink response for Add SA
esp.d798a9b8 at 10.46.155.153 included errno 3: No such process
"conn65535" #3: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow
tun.0 at 10.44.34.130 included errno 17: File exists
"conn65535" #3: ERROR: netlink response for Del SA
esp.bb700eae at 10.46.155.153 included errno 3: No such process
"conn65535" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
"conn65535" #4: ERROR: netlink response for Add SA
esp.d798a9b8 at 10.46.155.153 included errno 3: No such process
"conn65535" #3: ERROR: netlink XFRM_MSG_NEWPOLICY response for flow
tun.0 at 10.44.34.130 included errno 17: File exists
"conn65535" #3: ERROR: netlink response for Del SA
esp.bb700eae at 10.46.155.153 included errno 3: No such process
"conn65535" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
"conn65535" #4: ERROR: netlink response for Add SA
esp.d798a9b8 at 10.46.155.153 included errno 3: No such process
"conn65535" #4: ignoring informational payload, type
IPSEC_RESPONDER_LIFETIME
"conn65535" #4: ERROR: netlink response for Add SA
esp.d798a9b8 at 10.46.155.153 included errno 3: No such process
"conn65535" #3: max number of retransmissions (2) reached STATE_QUICK_R1
"conn65535" #3: ERROR: netlink response for Del SA
esp.bb700eae at 10.46.155.153 included errno 3: No such process
"conn65535" #4: max number of retransmissions (2) reached STATE_QUICK_I1.
No acceptable response to our first Quick Mode message: perhaps peer likes
no proposal


Could you please let us know if this is a known issue or are we missing
something in our configuration?

Thanks and regards
R.K Swetha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110613/1e021e56/attachment.html>

More information about the Users mailing list