[strongSwan] Phase 2 failing

Mark Gordon markgne at gmail.com
Tue Aug 5 03:26:56 CEST 2014 

Hi,

I am setting up a new site-site connection.  I have already established two
working connections at other sites in the same config file;

I received the following status output for the connection that is failing.
 It appears to be failing in phase 2. They are looking for tunnel mode,
3DES, SHA-1, DH Group 2. Anyone familiar with the error "STATE_MAIN_I3
(sent MI3, expecting MR3); EVENT_RETRANSMIT" ?

Thanks!
Mark

000 "xyz-0":
10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---146.12.15.23[192.168.11.15]===172.16.1.52/32;
unrouted; eroute owner: #0

000 "xyz-0":   newest ISAKMP SA: #0; newest IPsec SA: #0;


000 #2: "xyz-0" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 1s

000 #2: pending Phase 2 for "xyz-0" replacing #0



--- COMPLETE STATUS OUTPUT

000 "xyz-0":
10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---146.12.15.23[192.168.11.15]===172.16.1.52/32;
unrouted; eroute owner: #0

000 "xyz-0":   newest ISAKMP SA: #0; newest IPsec SA: #0;

000 "abc-1":
10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---210.4.6.18[192.168.51.51]===172.16.53.39/32;
erouted; eroute owner: #3

000 "abc-1":   newest ISAKMP SA: #0; newest IPsec SA: #3;

000 "abc-2":
10.0.10.10/32===10.0.10.10[50.60.11.50]---10.0.10.1...10.0.10.1---210.4.6.18[192.168.51.51]===172.16.53.40/32;
erouted; eroute owner: #4

000 "abc-2":   newest ISAKMP SA: #1; newest IPsec SA: #4;

000

000 #2: "xyz-0" STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT
in 1s

000 #2: pending Phase 2 for "xyz-0" replacing #0

000 #3: "abc-1" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 85430s; newest IPSEC; eroute owner

000 #3: "abc-1" esp.86696df8 at 210.4.6.18 (0 bytes) esp.c3632768 at 10.0.10.10
(0 bytes); tunnel

000 #4: "abc-2" STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 85640s; newest IPSEC; eroute owner

000 #4: "abc-2" esp.43fedca7 at 210.4.6.18 (0 bytes) esp.ca27d679 at 10.0.10.10
(0 bytes); tunnel

000 #1: "abc-2" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
85399s; newest ISAKMP
000
Security Associations:
  none


CONFIG

conn xyz-0

    # Connection Security Parameters

        type=tunnel

        auth=esp

        ike=3des-md5-modp1024

        esp=3des-sha1-modp1024

        pfs=no

        forceencaps=yes

        ikelifetime=28800s

        keylife=28800s

        # Left security gateway, subnet behind it, nexthop toward right.

        left=10.0.10.10

        leftid=50.60.11.50

        leftsubnet=10.0.10.10/32

        leftnexthop=%defaultroute

        # Right security gateway, subnet behind it, nexthop toward left.

        right=146.12.15.23

        rightid=192.168.11.15

        rightsubnet=172.16.1.52/32

        rightnexthop=%defaultroute

        # To authorize this connection, but not actually start it,

        # at startup, uncomment this.

        auto=start
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140804/d9b0a501/attachment.html>

More information about the Users mailing list