[strongSwan] received retransmit of response with ID 0, but next request already sent

Thomas Egerer hakke_007 at gmx.de
Sun Oct 26 19:24:46 CET 2014 

On Oct 26, 2014 6:58 PM, =?ISO-8859-1?Q?Axel_Z=F6llich?= <a.zoellich at kirsch.zoellich.de> wrote:
>
> Thanks for your answer Thomas, 
>
> > On 10/23/2014 02:07 PM, Axel Zöllich wrote: 
> > > Am Mittwoch, 22. Oktober 2014, 17:49:16 schrieb Axel Zöllich: 
> > >> Right side reseted there "draytek vigor 2860" e voila: le tunnel 
> > >> c'etablit. 
> > >> I don't like this kind of solutions... 
> > > 
> > > but the right side is still resending a package (13 and 23)? 
> > 
> > I'm not sure what you mean by 13 and 23. I can however 
> > see that again your peer is not responding to your first 
> > encrypted request (btw: the connection is supposed to be 
> > authenticated pre-shared keys). 
> 13 and 23 are package numbers in the wireshark recording. 
>
> > Can you please do the following: 
> > 'ipsec stroke loglevel ike 4' # this should show us the 
> > keying material (unlike my first advice it's the ike 
> > facility, not the enc facility). 
>
>
> > Then try to get your draytek to initiate the connection 
> > so we can see if the packets can be 
> > a) decrypted 
> > b) authenticated using PSK 
> I'll ask the peer admin to do so tomorrow. 
>
> In my understanding with "auto=route" I put strongswan ipsec in listening mode 
> as it's awaiting packages. This should be suitable to allow the connection be 
> initiated by the draytek, shouldn't it? 
Yes, it should respond to the draytek's requests. You'd better use 'add' to avoid involuntary tunnel initiations from behind your charon box. However, what I meant was to have a *red* peer from behind the draytek sent traffic to a peer behind the charon box. Charon will then respond and with ike loglevel 4 print keys and hopefully rule out/reveal a problem with encryption or with authentication.
(All typos are courtesy of my phone).
>
> conn jung 
>         ikelifetime=86400 
>         keylife=21600 
>         rekeymargin=3m 
>         keyingtries=10 
>         keyexchange=ikev1 
>         authby=secret 
>         reauth=no 
>         dpdaction=restart 
>         #closeaction=restart 
>         esp=3des-sha1-modp2048 
>         ike=3des-sha1-modp2048 
>         left=80.152.262.292 
>         leftsubnet=192.168.222.0/24 
>         leftid=217.86.257.203 
>         leftfirewall=yes 
>         right=217.86.257.203 
>         rightsubnet=192.168.1.0/24 
>         rightid=%any 
>         auto=route 
>
>
> Axel 
>
> -- 
> Axel Zöllich 
> Vorgebirgstraße 39, 50677 Köln 
> Tel:+49 (0)221 3777534 
> Fax:+49 (0)221 3762479 
> _______________________________________________ 
> Users mailing list 
> Users at lists.strongswan.org 
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list