[strongSwan] received retransmit of response with ID 0, but next request already sent
Axel Zöllich
a.zoellich at kirsch.zoellich.de
Sun Oct 26 18:58:06 CET 2014
Thanks for your answer Thomas,
> On 10/23/2014 02:07 PM, Axel Zöllich wrote:
> > Am Mittwoch, 22. Oktober 2014, 17:49:16 schrieb Axel Zöllich:
> >> Right side reseted there "draytek vigor 2860" e voila: le tunnel
> >> c'etablit.
> >> I don't like this kind of solutions...
> >
> > but the right side is still resending a package (13 and 23)?
>
> I'm not sure what you mean by 13 and 23. I can however
> see that again your peer is not responding to your first
> encrypted request (btw: the connection is supposed to be
> authenticated pre-shared keys).
13 and 23 are package numbers in the wireshark recording.
> Can you please do the following:
> 'ipsec stroke loglevel ike 4' # this should show us the
> keying material (unlike my first advice it's the ike
> facility, not the enc facility).
> Then try to get your draytek to initiate the connection
> so we can see if the packets can be
> a) decrypted
> b) authenticated using PSK
I'll ask the peer admin to do so tomorrow.
In my understanding with "auto=route" I put strongswan ipsec in listening mode
as it's awaiting packages. This should be suitable to allow the connection be
initiated by the draytek, shouldn't it?
conn jung
ikelifetime=86400
keylife=21600
rekeymargin=3m
keyingtries=10
keyexchange=ikev1
authby=secret
reauth=no
dpdaction=restart
#closeaction=restart
esp=3des-sha1-modp2048
ike=3des-sha1-modp2048
left=80.152.262.292
leftsubnet=192.168.222.0/24
leftid=217.86.257.203
leftfirewall=yes
right=217.86.257.203
rightsubnet=192.168.1.0/24
rightid=%any
auto=route
Axel
--
Axel Zöllich
Vorgebirgstraße 39, 50677 Köln
Tel:+49 (0)221 3777534
Fax:+49 (0)221 3762479
More information about the Users
mailing list