[strongSwan] OpenSwan to StrongSwan migration (with CA): VPN not working

CJ Fearnley cjf at LinuxForce.net
Wed Oct 17 23:45:44 CEST 2012 

On Wed, Oct 17, 2012 at 10:23:49PM +0200, Mirko Parthey wrote:
> On Wed, Oct 17, 2012 at 02:17:27PM -0400, CJ Fearnley wrote:
> > On the netgear, I see
> > 1970 Jan  2 22:33:25 [FVS336GV2] [IKE] Phase 1 negotiation failed due to time up
> ^^^^^^^^^^^^^^^^^^^^^^
> Looks like the system time is wrong.

Eventually I noticed that too.  Netgear suggests a firmware upgrade.
That could be the problem there.

But all the Netgears are failing.  Including this one whose clock is
working:
2012 Oct 17 16:45:22 [FVS336GV2] [IKE] ISAKMP-SA established for
50.192.114.17[500]-216.130.102.66[500] with
spi:f632e20393b01283:f86a7548892e2c54_

it goes on to fail:
2012 Oct 17 16:45:22 [FVS336GV2] [IKE] Sending Informational Exchange: notify
payload[INITIAL-CONTACT]_
2012 Oct 17 16:45:23 [FVS336GV2] [IKE] Initiating new phase 2 negotiation:
50.192.114.17[0]<=>216.130.102.66[0]_
2012 Oct 17 16:45:23 [FVS336GV2] [IKE] Unknown notify message from
216.130.102.66[500].No phase2 handle found._
2012 Oct 17 16:45:26 [FVS336GV2] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP
and spi=f632e20393b01283:f86a7548892e2c54._
2012 Oct 17 16:46:23 [FVS336GV2] [IKE] Phase 2 negotiation failed due to time
up. f632e20393b01283:f86a7548892e2c54:f1a6d664_

strongswan sees this:
Oct 17 16:45:22 cw1 pluto[6976]: "sslvpn"[24] 50.192.114.17 #14: ignoring
informational payload, type IPSEC_INITIAL_CONTACT
Oct 17 16:45:23 cw1 pluto[6976]: "sslvpn"[24] 50.192.114.17 #14: cannot
respond to IPsec SA request because no connection is known for
192.168.101.0/24===216.130.102.66[C=US, ST=IL, L=Glenwood, O=PRIVACY
VPN Services, CN=cw1.private.com,
E=tony at privacy2.com]...50.192.114.17[CN=Private]===192.168.112.0/24
Oct 17 16:45:23 cw1 pluto[6976]: "sslvpn"[24] 50.192.114.17 #14: sending
encrypted notification INVALID_ID_INFORMATION to 50.192.114.17:500

These certs were working last week with openswan.  What else can I try?

My ipsec.conf is now like this:
config setup
    charonstart=yes
    plutostart=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.101.0/24
    nat_traversal=yes

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev1

conn sslvpn
    left=216.130.102.66
    leftid="C=US, ST=IL, L=Glenwood, O=Privacy VPN Services, CN=cw1.privacy.com, E=tony at privacy2.com"
    leftsendcert=always
    leftsubnet=192.168.101.0/24
    leftcert=cw1.privacy.com.crt
    right=%any
    rekey=yes
    auto=add

I also tried auto=start with similar errors.

-- 
CJ Fearnley                 |   LinuxForce Inc.
cjf at LinuxForce.net          |   IT Projects & Systems Maintenance
http://www.LinuxForce.net   |   http://blog.remoteresponder.net

More information about the Users mailing list